[VIM] Sun confirms SUNALERT:102496 link to CVE-2006-3159

Steven M. Christey coley at mitre.org
Mon Jul 3 16:20:51 EDT 2006


We just received e-mail confirmation from Sun that their
SUNALERT:102496 is in fact related to the Full-Disclosure post from a
couple weeks back (CVE-2006-3159).  The details in the alert were a
little vague albeit fairly similar, but the lack of cross-references
made things too uncertain by CVE's standards.

- Steve

======================================================
Name: CVE-2006-3159
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3159
Reference: FULLDISC:20060614 Sun iPlanet Messaging Server 5.2 root password compromise
Reference: URL:http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/046920.html
Reference: SUNALERT:102496
Reference: URL:http://sunsolve.sun.com/search/document.do?assetkey=1-26-102496-1
Reference: SECTRACK:1016312
Reference: URL:http://securitytracker.com/id?1016312
Reference: XF:iplanet-msgconf-symlink(27220)
Reference: URL:http://xforce.iss.net/xforce/xfdb/27220

pipe_master in Sun ONE/iPlanet Messaging Server 5.2 HotFix 1.16 (built
May 14 2003) allows local users to read portions of restricted files
via a symlink attack on msg.conf in a directory identified by the
CONFIGROOT environment variable, which returns the first line of the
file in an error message.




More information about the VIM mailing list