finger 0@host on some systems may print information on some user accounts.
finger .@host on some systems may print information on some user accounts.
Windows NT FTP server (WFTP) with the guest account enabled without a password allows an attacker to log into the FTP server using any username and pa...
Denial of service in Sendmail 8.6.11 and 8.6.12.
Attackers can do a denial of service of IRC by crashing the server.
Windows NT TCP/IP processes fragmented IP packets improperly, causing a denial of service.
Buffer overflow in IP-Switch IMail and Seattle Labs Slmail 2.6 packages using a long VRFY command, causing a denial of service and possibly remote acc...
Some filters or firewalls allow fragmented SYN packets with IP reserved bits in violation of their implemented policy.
Linux cfingerd could be exploited to gain root access.
A race condition in the authentication agent mechanism of sshd 1.2.17 allows an attacker to steal another user's credentials.
Buffer overflow in ircd allows arbitrary command execution.
MetaInfo MetaWeb web server allows users to upload, execute, and read scripts.
mSQL v2.0.1 and below allows remote execution through a buffer overflow.
The Java Web Server would allow remote users to obtain the source code for CGI programs.
Denial of service in telnet from the Windows NT Resource Kit, by opening then immediately closing a connection.
In some NT web servers, appending a space at the end of a URL may allow attackers to read source code for active pages.
Local or remote users can force ControlIT 4.5 to reboot or force a user to log out, resulting in a denial of service.
NetWare version of LaserFiche stores usernames and passwords unencrypted, and allows administrative changes without logging.
Microsoft Access 97 stores a database password as plaintext in a foreign mdb, allowing access to data.
The Forms 2.0 ActiveX control (included with Visual Basic for Applications 5.0) can be used to read text from a user's clipboard when the user accesse...
DataLynx suGuard trusts the PATH environment variable to execute the ps command, allowing local users to execute commands as root.
Remote attackers can cause a denial of service in Sendmail 8.8.x and 8.9.2 by sending messages with a large number of headers.
DPEC Online Courseware allows an attacker to change another user's password without knowing the original password.
A race condition in the BackWeb Polite Agent Protocol allows an attacker to spoof a BackWeb server.
The demo version of the Quakenbush NT Password Appraiser sends passwords across the network in plaintext.
In some instances of SSH 1.2.27 and 2.0.11 on Linux systems, SSH will allow users with expired accounts to login.
The DCC server command in the Mirc 5.5 client doesn't filter characters from file names properly, allowing remote attackers to place a malicious file ...
A race condition in Linux 2.2.1 allows local users to read arbitrary memory from /proc files.
IIS 4.0 and Apache log HTTP request methods, regardless of how long they are, allowing a remote attacker to hide the URL they really request.
A service or application has a backdoor password that was placed there by the developer.
An attacker can identify a CISCO device by sending a SYN packet to port 1999, which is for the Cisco Discovery Protocol (CDP).
A remote attacker can sometimes identify the operating system of a host based on how it reacts to some IP or ICMP packets, using a tool such as nmap o...
Remote attackers can crash Lynx and Internet Explorer using an IMG tag with a large width parameter.
A remote attacker can gain access to a file system using .. (dot dot) when accessing SMB shares.
Anonymous FTP is enabled.
A mail server is explicitly configured to allow SMTP mail relay, which allows abuse by spammers.
An unrestricted remote trust relationship for Unix systems has been set up, e.g. by using a + sign in /etc/hosts.equiv.
A system-critical NETBIOS/SMB share has inappropriate access control.
ICMP echo (ping) is allowed from arbitrary hosts.
The permissions for system-critical data in an anonymous FTP account are inappropriate. For example, the root directory is writeable by world, a real...
A router or firewall forwards external packets that claim to come from inside the network that the router/firewall is in front of.
A router or firewall forwards packets that claim to come from IANA reserved or private addresses, e.g. 10.x.x.x, 127.x.x.x, 217.x.x.x, etc.
A system is operating in "promiscuous" mode which allows it to perform packet sniffing.
A trust relationship exists between two Unix hosts.
An SSH server allows authentication through the .rhosts file.
A superfluous NFS server is running, but it is not importing or exporting any file systems.
Windows NT automatically logs in an administrator upon rebooting.
NFS exports system-critical data to the world, e.g. / or a password file.
A Unix account with a name other than "root" has UID 0, i.e. root privileges.
Two or more Unix accounts have the same UID.
A system-critical Unix file or directory has inappropriate permissions.
A system-critical Windows NT file or directory has inappropriate permissions.
IIS has the #exec function enabled for Server Side Include (SSI) files.
An attacker can force a printer to print arbitrary documents (e.g. if the printer doesn't require a password) or to become disabled.
A Sendmail alias allows input to be piped to a program.
rpc.admind in Solaris is not running in a secure mode.
A URL for a WWW directory allows auto-indexing, which provides a list of all files in that directory if it does not contain an index.html file.
Windows NT is not using a password filter utility, e.g. PASSFILT.DLL.
A router's configuration service or management interface (such as a web server or telnet) is configured to allow connections from arbitrary hosts.
A Windows NT system's file audit policy does not log an event success or failure for non-critical files or directories.
A Windows NT system's registry audit policy does not log an event success or failure for security-critical registry keys.
A Windows NT system's registry audit policy does not log an event success or failure for non-critical registry keys.
The HKEY_LOCAL_MACHINE key in a Windows NT system has inappropriate, system-critical permissions.
The HKEY_CLASSES_ROOT key in a Windows NT system has inappropriate, system-critical permissions.
There is a one-way or two-way trust relationship between Windows NT domains.
A Windows NT file system is not NTFS.
A network service is running on a nonstandard port.
A WWW server is not running in a restricted file system, e.g. through a chroot, thus allowing access to system-critical data.
A filter in a router or firewall allows unusual fragmented packets.
A system-critical Windows NT registry key has inappropriate permissions.
An event log in Windows NT has inappropriate access permissions.
The Logon box of a Windows NT system displays the name of the last user who logged in.
The default setting for the Winlogon key entry ShutdownWithoutLogon in Windows NT allows users with physical access to shut down a Windows NT system w...
A Windows NT system does not restrict access to removable media drives such as a floppy disk drive or CDROM drive.
A Windows NT log file has an inappropriate maximum size or retention period.
A Windows NT account policy does not forcibly disconnect remote users from the server when their logon hours expire.
A network intrusion detection system (IDS) does not properly handle packets that are sent out of order, allowing an attacker to escape detection.
A network intrusion detection system (IDS) does not properly handle packets with improper sequence numbers.
A network intrusion detection system (IDS) does not verify the checksum on a packet.
A network intrusion detection system (IDS) does not properly handle data within TCP handshake packets.
A network intrusion detection system (IDS) does not properly reassemble fragmented packets.
In Windows NT, an inappropriate user is a member of a group, e.g. Administrator, Backup Operators, Domain Admins, Domain Guests, Power Users, Print Op...
A system-critical Windows NT registry key has an inappropriate value.
The rpc.sprayd service is running.
The rexec service is running.
The rstat/rstatd service is running.
The rpc.rquotad service is running.
The ident/identd service is running.
The NT Alerter and Messenger services are running.
The RPC portmapper service is running.
The echo service is running.
The discard service is running.
The systat service is running.
The daytime service is running.
The chargen service is running.
The Gopher service is running.
The UUCP service is running.
The netstat service is running, which provides sensitive information to remote attackers.
The rsh/rlogin service is running.
A component service related to NIS+ is running.
The OS/2 or POSIX subsystem in NT is enabled.
The ugidd RPC interface, by design, allows remote attackers to enumerate valid usernames by specifying arbitrary UIDs that ugidd maps to local user an...
WinGate is being used.
A system is running a version of software that was replaced with a Trojan Horse at one of its distribution points, such as (1) TCP Wrappers 7.6, (2) u...
A system-critical program or library does not have the appropriate patch, hotfix, or service pack installed, or is outdated or obsolete.
A system-critical program, library, or file has a checksum or other integrity measurement that indicates that it has been modified.
An application-critical Windows NT registry key has inappropriate permissions.
An application-critical Windows NT registry key has an inappropriate value.
Denial of service in IP protocol logger (ippl) on Red Hat and Debian Linux.
PIM software for Royal daVinci does not properly password-protext access to data stored in the .mdb (Microsoft Access) file, which allows local users ...
Win32 ICQ 98a 1.30, and possibly other versions, does not display the entire portion of long filenames, which could allow attackers to send an executa...
Off-by-one error in NcFTPd FTP server before 2.4.1 allows a remote attacker to cause a denial of service (crash) via a long PORT command.
wget 1.5.3 follows symlinks to change permissions of the target file instead of the symlink itself.
IPswitch IMail allows local users to gain additional privileges and modify or add mail accounts by setting the "flags" registry key to 1920.
The default configuration of Slackware 3.4, and possibly other versions, includes . (dot, the current directory) in the PATH environmental variable, w...
HP-UX aserver program allows local users to gain privileges via a symlink attack.
Buffer overflow in the bootp server in the Debian Linux netstd package.
Buffer overflow in the FTP client in the Debian GNU/Linux netstd package.
search.cgi in the SolutionScripts Home Free package allows remote attackers to view directories via a .. (dot dot) attack.
Buffer overflow in Dosemu Slang library in Linux.
Local users can perform a denial of service in Tripwire 1.2 and earlier using long filenames.
The cryptographic challenge of SMB authentication in Windows 95 and Windows 98 can be reused, allowing an attacker to replay the response and imperson...
L0phtcrack 2.5 used temporary files in the system TEMP directory which could contain password information.
Vulnerability in KDE konsole allows local users to hijack or observe sessions of other users by accessing certain devices.
Solaris ff.core allows local users to modify files.
Buffer overflow in Thomas Boutell's cgic library version up to 1.05.
Cisco IOS 12.0 and other versions can be crashed by malicious UDP packets to the syslog port.
By design, Maximizer Enterprise 4 calendar and address book program allows arbitrary users to modify the calendar of other users when the calendar is ...
Buffer overflow in fpcount.exe in IIS 4.0 with FrontPage Server Extensions allows remote attackers to execute arbitrary commands.
When IIS 2 or 3 is upgraded to IIS 4, ism.dll is inadvertently left in /scripts/iisadmin, which does not restrict access to the local machine and allo...
Linux ftpwatch program allows local users to gain root privileges.
A default configuration of Apache on Debian GNU/Linux sets the ServerRoot to /usr/doc, which allows remote users to read documentation files for the e...
Windows NT 4.0 beta allows users to read and delete shares.
Denial of service in Linux 2.0.36 allows local users to prevent any server from listening on any non-privileged port.
Buffer overflow in dtaction command gives root access.
WebRamp M3 router does not disable remote telnet or HTTP access to itself, even when access has been explicitly disabled.
Buffer overflow in FTP server in Microsoft IIS 3.0 and 4.0 allows local and sometimes remote attackers to cause a denial of service via a long NLST (l...
ControlIT 4.5 and earlier (aka Remotely Possible) has weak password encryption.
ControlIT v4.5 and earlier uses weak encryption to store usernames and passwords in an address book.
Windows 98 and other operating systems allows remote attackers to cause a denial of service via crafted "oshare" packets, possibly involving invalid f...
Buffer overflow in at program in Digital UNIX 4.0 allows local users to gain root privileges via a long command line argument.
Internet Explorer 4.01 allows remote attackers to read local files and spoof web pages via a "%01" character in an "about:" Javascript URL, which caus...
Denial of service in Linux 2.2.0 running the ldd command on a core file.
The ExAir sample site in IIS 4 allows remote attackers to cause a denial of service (CPU consumption) via a direct request to the (1) advsearch.asp, (...
In IIS, an attacker could determine a real path using a request for a non-existent URL that would be interpreted by Perl (perl.exe).
IIS ASP caching problem releases sensitive information when two virtual servers share the same physical directory.
A buffer overflow in the FTP list (ls) command in IIS allows remote attackers to conduct a denial of service and, in some cases, execute arbitrary com...
Vulnerability in (1) rlogin daemon rshd and (2) scheme on SCO UNIX OpenServer 5.0.5 and earlier, and SCO UnixWare 7.0.1 and earlier, allows remote att...
Versions of rpcbind including Linux, IRIX, and Wietse Venema's rpcbind allow a remote attacker to insert and delete entries by spoofing a source addre...
Buffer overflow in Solaris lpstat via class argument allows local users to gain root access.
netstation.navio-com.rte 1.1.0.1 configuration script for Navio NC on IBM AIX exports /tmp over NFS as world-readable and world-writable.
The debug option in Caldera Linux smail allows remote attackers to execute commands via shell metacharacters in the -D option for the rmail command.
MS Site Server 2.0 with IIS 4 can allow users to upload content, including ASP, to the target web site, thus allowing them to execute commands remotel...