(提案)集群近50 - 37的候选人

下面的集群包含37个候选人之间宣布12月19日,2000年和2001年1月31日。(候选人从1月下旬被组织保留用于首次公开漏洞公告。剩下的候选人从1月将在几周内提出。)通过修改这封邮件你可能投票的候选人投票,将它寄回给我,或通过使用CVE投票网站。这种集群的投票网站将更新今天晚些时候。新增编辑部也会通知他们的帐户信息。中列出的候选人优先秩序。优先级1和优先级2的候选人都应对不同层次的供应商确认,所以他们应该易于检查和可以信任的,是真实的问题。如果你发现任何RECENT-XX集群是不完整的对过程中发现的问题相关的时间框架,请发送信息给我,这样候选人可以被指定。——史蒂夫总结的选票使用(“严重程度”的按升序)- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -接受——选民接受候选人提出等待——选民对候选人没有意见修改选民想要改变一些小细节(例如参考/描述)审查-选民正在审查/研究候选人,或需要更多的信息,重塑候选人必须大幅修改,如分割或合并拒绝候选人不是“漏洞”,或重复等。1)请写你的投票在直线上,从“投票:”开始。 If you want to add comments or details, add them to lines after the VOTE: line. 2) If you see any missing references, please mention them so that they can be included. References help greatly during mapping. 3) Note that a "MODIFY" is treated as an "ACCEPT" when counting votes. So if you don't have sufficient information for a candidate but you don't want to NOOP, use a REVIEWING. ********** NOTE ********** NOTE ********** NOTE ********** NOTE ********** Please keep in mind that your vote and comments will be recorded and publicly viewable in the mailing list archives or in other formats. ====================================================== Candidate: CAN-2001-0003 URL:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 0003最终决定:阶段性裁决:修改:建议:20010202分配:20010104类别:科幻/ CF / MP / SA / /未知参考:女士:ms01 - 001参考:网址:http://www.microsoft.com/technet/security/bulletin/ms01 - 001. - aspWeb Extender客户机(WEC)微软Office 2000, Windows 2000, Windows我不妥善处理Internet Explorer NTLM身份验证安全设置,允许攻击者获得NTLM凭证并可能获得密码,又名“Web客户端NTLM身份验证”的弱点。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 0003 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 0004网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 0004最终决定:阶段性裁决:修改:建议:20010202分配:20010104类别:科幻/ CF / MP / SA / /未知参考:BUGTRAQ: 20010108 IIS 5.0允许查看文件使用% 3 f +。htr参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=97897954625305&w=2参考:女士:ms01 - 004参考:网址:http://www.microsoft.com/technet/security/bulletin/ms01 - 004. - aspIIS 5.0和4.0允许远程攻击者阅读源代码的可执行的web服务器程序通过添加“% 3 f +。htr”请求的URL,这导致文件被解析.HTR ISAPI扩展,即一个变种的“文件片段阅读通过.HTR”漏洞。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 0004 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 0005网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 0005最终决定:阶段性裁决:修改:建议:20010202分配:20010104类别:科幻参考:ATSTAKE: A012301-1参考:网址:http://www.atstake.com/research/advisories/2001/a012301 - 1. - txt参考:女士:ms01 - 002参考:网址:http://www.microsoft.com/technet/security/bulletin/ms01 - 002. - asp缓冲区溢出的解析机制2000年微软PowerPoint文件加载器允许攻击者执行任意命令。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 0005 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 0006网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 0006最终决定:阶段性裁决:修改:建议:20010202分配:20010104类别:科幻/ CF / MP / SA / /未知参考:BUGTRAQ: 20010126 ntsecurity。怒咨询:Winsock互斥脆弱性在Windows NT 4.0 SP6下面参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=98075221915234&w=2参考:女士:ms01 - 003参考:网址:http://www.microsoft.com/technet/security/bulletin/ms01 - 003. - aspWinsock2ProtocolCatalogMutex互斥的Windows NT 4.0有不合适每个人/完全控制权限,允许本地用户修改权限,“没有访问”和禁用Winsock网络连接导致拒绝服务,即“Winsock互斥”漏洞。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 0006 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 0008网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 0008最终决定:阶段性裁决:修改:建议:20010202分配:20010110类别:科幻参考:CERT: ca - 2001 - 01参考:网址:http://www.cert.org/advisories/ca - 2001 - 01. - html后门账户数据库数据库服务器允许远程攻击者覆盖任意文件使用存储过程。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 0008 1供应商确认:是的投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 0010网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 0010最终决定:阶段性裁决:修改:建议:20010202分配:20010118类别:科幻/ CF / MP / SA / /未知参考:CERT: ca - 2001 - 02年参考:网址:http://www.cert.org/advisories/ca - 2001 - 02. - html参考:奈:20010129漏洞在绑定4和8参考:网址:http://www.pgp.com/research/covert/advisories/047.asp缓冲区溢出在交易签名(TSIG)处理代码绑定8允许远程攻击者获得根权限。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 0010 1供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 0011网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 0011最终决定:阶段性裁决:修改:建议:20010202分配:20010118类别:科幻/ CF / MP / SA / /未知参考:CERT: ca - 2001 - 02年参考:网址:http://www.cert.org/advisories/ca - 2001 - 02. - html参考:奈:20010129漏洞在绑定4和8参考:网址:http://www.pgp.com/research/covert/advisories/047.asp缓冲区溢出nslookupComplain函数绑定4允许远程攻击者获得根权限。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 0011 1供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 0012网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 0012最终决定:阶段性裁决:修改:建议:20010202分配:20010119类别:科幻/ CF / MP / SA / /未知参考:CERT: ca - 2001 - 02年参考:网址:http://www.cert.org/advisories/ca - 2001 - 02. - html参考:奈:20010129漏洞在绑定4和8参考:网址:http://www.pgp.com/research/covert/advisories/047.asp绑定4和8绑定允许远程攻击者访问环境变量等敏感信息。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 0012 1供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 0013网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 0013最终决定:阶段性裁决:修改:建议:20010202分配:20010125类别:科幻/ CF / MP / SA / /未知参考:CERT: ca - 2001 - 02年参考:网址:http://www.cert.org/advisories/ca - 2001 - 02. - html参考:奈:20010129漏洞在绑定4和8参考:网址:http://www.pgp.com/research/covert/advisories/047.asp格式字符串漏洞nslookupComplain函数绑定4允许远程攻击者获得根权限。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 0013 1供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 0014网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 0014最终决定:阶段性裁决:修改:建议:20010202分配:20010127类别:科幻/ CF / MP / SA / /未知参考:女士:ms01 - 006参考:网址:http://www.microsoft.com/technet/security/bulletin/ms01 - 006. - asp远程数据协议(RDP)在Windows 2000终端服务不妥善处理特定的数据包,它允许远程攻击者导致拒绝服务,又名“无效的RDP数据”的弱点。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 0014 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 0019网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 0019最终决定:阶段性裁决:修改:建议:20010202分配:20010131类别:科幻/ CF / MP / SA / /未知参考:ATSTAKE: A013101-1参考:网址:http://www.atstake.com/research/advisories/2001/a013101 - 1. - txt参考:思科:20010131思科内容服务开关脆弱性参考:网址:http://www.cisco.com/warp/public/707/arrowpoint-cli-filesystem-pub.shtmlArrowpoint(又名思科内容服务,或CSS)允许本地用户造成拒绝服务通过一个长参数显示脚本,”“明确的脚本,”“显示存档,”“明确的档案,”“显示日志,”或“清除日志”命令。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 0019 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 0020网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 0020最终决定:阶段性裁决:修改:建议:20010202分配:20010131类别:科幻/ CF / MP / SA / /未知参考:ATSTAKE: A013101-1参考:网址:http://www.atstake.com/research/advisories/2001/a013101 - 1. - txt参考:思科:20010131思科内容服务开关脆弱性参考:网址:http://www.cisco.com/warp/public/707/arrowpoint-cli-filesystem-pub.shtml目录遍历脆弱性Arrowpoint(又名思科内容服务,或CSS)允许当地无特权的用户读取任意文件通过一个. .(点点)攻击。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 0020 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 0069网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 0069最终决定:阶段性裁决:修改:建议:20010202分配:20010201类别:科幻参考:DEBIAN: dsa - 008 - 1参考:网址:http://www.debian.org/security/2000/20001225参考:报价:2151参考:网址:http://www.securityfocus.com/bid/2151参考:XF: dialog-symlink参考:网址:http://xforce.iss.net/static/5809.php对话框前0.9 - 20000118 - 3 - bis在Debian Linux允许本地用户覆盖任意文件通过一个符号链接攻击。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 0069 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 0071网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 0071最终决定:阶段性裁决:修改:建议:20010202分配:20010201类别:科幻参考:REDHAT: rhsa - 2000 - 131参考:网址:http://www.redhat.com/support/errata/rhsa - 2000 - 131. - html参考:曼德拉草:mdksa - 2000 - 087参考:网址:http://www.linux mandrake.com/en/updates/2000/mdksa - 2000 - 087. - php3参考:DEBIAN: dsa - 010 - 1参考:网址:http://www.debian.org/security/2000/20001225b参考:XF: gnupg-detached-sig-modify参考:网址:http://xforce.iss.net/static/5802.php参考:CONECTIVA: CLA-2000:368参考:网址:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000368参考:报价:2141参考:网址:http://www.securityfocus.com/bid/2141参考:BUGTRAQ: 20001220 Trustix安全顾问——gnupg ftpd-BSD参考:网址:http://www.securityfocus.com/archive/1/1521971.0.4 gpg(又名GnuPG)和其他版本不正确验证分离签名,攻击者可以修改文件的内容没有检测。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 0071 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 0072网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 0072最终决定:阶段性裁决:修改:建议:20010202分配:20010201类别:科幻参考:REDHAT: rhsa - 2000 - 131参考:网址:http://www.redhat.com/support/errata/rhsa - 2000 - 131. - html参考:曼德拉草:mdksa - 2000 - 087参考:网址:http://www.linux mandrake.com/en/updates/2000/mdksa - 2000 - 087. - php3参考:DEBIAN: dsa - 010 - 1参考:网址:http://www.debian.org/security/2000/20001225b参考:CONECTIVA: CLA-2000:368参考:网址:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000368参考:BUGTRAQ: 20001220 Trustix安全顾问——gnupg ftpd-BSD参考:网址:http://www.securityfocus.com/archive/1/152197参考:报价:2153参考:网址:http://www.securityfocus.com/bid/2153参考:XF: gnupg-reveal-private参考:网址:http://xforce.iss.net/static/5803.phpgpg v1.0.4和其他版本(又名GnuPG)进口都从公钥服务器公钥和私钥没有通知用户的私钥,这可能允许攻击者破坏信任的网络。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 0072 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 0085网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 0085最终决定:阶段性裁决:修改:建议:20010202分配:20010201类别:科幻参考:惠普:hpsbux0012 - 135参考:网址:http://archives.neohapsis.com/archives/hp/2000-q4/0083.html参考:报价:2170参考:网址:http://www.securityfocus.com/bid/2170参考:XF: hpux-kermit-bo参考:网址:http://xforce.iss.net/static/5793.php缓冲区溢出在早些时候在hp - ux 11.0和米特通信软件允许本地用户可能导致拒绝服务和执行任意命令。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 0085 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 0093网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 0093最终决定:阶段性裁决:修改:建议:20010202分配:20010201类别:科幻参考:NETBSD: NETBSD - sa2000 - 017参考:网址:ftp://ftp.netbsd.org/pub/netbsd/misc/security/advisories/netbsd sa2000 txt.asc——017.脆弱性在FreeBSD telnetd 1.5允许本地用户获得根权限通过修改关键环境变量影响telnetd的行为。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 0093 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 0094网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 0094最终决定:阶段性裁决:修改:建议:20010202分配:20010201类别:科幻参考:NETBSD: NETBSD - sa2000 - 017参考:网址:ftp://ftp.netbsd.org/pub/netbsd/misc/security/advisories/netbsd sa2000 txt.asc——017.在libkrb缓冲区溢出(Kerberos 4库)在FreeBSD 1.5允许本地用户获得根权限。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 0094 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 0096网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 0096最终决定:阶段性裁决:修改:建议:20010202分配:20010201类别:科幻参考:女士:ms00 - 100参考:网址:http://www.microsoft.com/technet/security/bulletin/ms00 - 100. - asp参考:XF: iis-web-form-submit参考:网址:http://xforce.iss.net/static/5823.php首页服务器扩展(FPSE)在IIS 4.0和5.0允许远程攻击者通过畸形引起拒绝服务形式,即“畸形的Web表单提交”漏洞。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 0096 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 0101网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 0101最终决定:阶段性裁决:修改:建议:20010202分配:20010201类别:参考:涡轮:TLSA2000024-1参考:网址:http://www.turbolinux.com/pipermail/tl-security-announce/2000-December/000027.html参考:REDHAT: RHBA-2000:106-04参考:网址:http://www.redhat.com/support/errata/rhba - 2000 - 106. - htmlfetchmail 5.5.0-2脆弱性和早些时候GSSAPI命令进行身份验证。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 0101 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 0106网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 0106最终决定:阶段性裁决:修改:建议:20010202分配:20010201类别:科幻参考:惠普:hpsbux0101 - 136参考:网址:http://archives.neohapsis.com/archives/hp/2001-q1/0009.html脆弱性在早些时候在hp - ux 11.04和inetd服务器允许攻击者造成拒绝服务“swait”状态时所使用的服务器。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 0106 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 0009网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 0009最终决定:阶段性裁决:修改:建议:20010202分配:20010110类别:科幻/ CF / MP / SA / /未知参考:BUGTRAQ: 20010109 BUGTRAQ id 2173 Lotus Domino服务器参考:网址:http://www.securityfocus.com/archive/1/155124参考:报价:2173参考:网址:http://www.securityfocus.com/bid/2173参考:BUGTRAQ: 20010105 Lotus Domino Web服务器5.0.5漏洞——阅读文件外的Web根参考:网址:http://www.securityfocus.com/archive/1/154537目录遍历脆弱性在Lotus Domino 5.0.5 web服务器允许远程攻击者读取任意文件通过一个. .攻击。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 0009 2供应商确认:是的投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 0099网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 0099最终决定:阶段性裁决:修改:建议:20010202分配:20010201类别:科幻参考:BUGTRAQ: 20001221 BS脚本漏洞参考:网址:http://archives.neohapsis.com/archives/bugtraq/2000-12/0390.html参考:MISC:http://www.stanback.net/参考:XF: bsguest-cgi-execute-commands参考:网址:http://xforce.iss.net/static/5796.phpbsguest。cgi脚本留言板允许远程攻击者通过执行任意命令shell元字符的电子邮件地址。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 0099 2供应商确认:是的投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 0100网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 0100最终决定:阶段性裁决:修改:建议:20010202分配:20010201类别:科幻参考:BUGTRAQ: 20001221 BS脚本漏洞参考:网址:http://archives.neohapsis.com/archives/bugtraq/2000-12/0390.html参考:MISC:http://www.stanback.net/参考:XF: bslist-cgi-execute-commands参考:网址:http://xforce.iss.net/static/5797.phpbslist。cgi脚本邮件列表允许远程攻击者通过执行任意命令shell元字符的电子邮件地址。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 0100 2供应商确认:是的投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 0007网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 0007最终决定:阶段性裁决:修改:建议:20010202分配:20010108类别:科幻/ CF / MP / SA / /未知参考:BUGTRAQ: 20000109 NSFOCUS SA2001-01:防火墙防火墙WebUI缓冲区溢出漏洞参考:网址:http://www.securityfocus.com/archive/1/155149参考:报价:2176参考:网址:http://www.securityfocus.com/bid/2176缓冲区溢出在防火墙防火墙WebUI允许远程攻击者造成拒绝服务通过一个长URL请求到web管理界面。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 0007 3供应商确认:未知声称投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 0048网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 0048最终决定:阶段性裁决:修改:建议:20010202分配:20010201类别:CF参考:女士:ms00 - 099参考:网址:http://www.microsoft.com/technet/security/bulletin/ms00 - 099. - asp参考:报价:2133参考:网址:http://www.securityfocus.com/bid/2133“配置您的服务器”工具在2000年微软域控制器安装目录服务的空白密码恢复模式,它允许攻击者与物理访问控制器安装恶意程序,又名“目录服务恢复模式”密码漏洞。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 0048 3供应商确认:对咨询内容的决定:CF-REGISTRY投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 0064网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 0064最终决定:阶段性裁决:修改:建议:20010202分配:20010201类别:科幻参考:BUGTRAQ: 20001219 def - 2000 - 03: MDaemon 3.5.0 DoS参考:网址:http://archives.neohapsis.com/archives/bugtraq/2000-12/0315.html参考:报价:2134参考:网址:http://www.securityfocus.com/bid/2134Webconfig、IMAP和其他服务在MDaemon 3.5.0早些时候,允许远程攻击者造成拒绝服务通过一个长URL终止由一个“\ r \ n”字符串。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 0064 3供应商确认:未知discloser-claimed投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 0070网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 0070最终决定:阶段性裁决:修改:建议:20010202分配:20010201类别:科幻参考:BUGTRAQ: 20001226 1日邮件服务器v4.1缓冲区溢出漏洞参考:网址:http://archives.neohapsis.com/archives/win2ksecadvice/2000-q4/0143.html参考:报价:2152参考:网址:http://www.securityfocus.com/bid/2152参考:XF: 1 stup-mail-server-bo参考:网址:http://xforce.iss.net/static/5808.php缓冲区溢出在1日邮件服务器4.1允许远程攻击者导致拒绝服务,并可能执行任意命令,从命令通过一个长的邮件。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 0070 3供应商确认:未知discloser-claimed投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 0073网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 0073最终决定:阶段性裁决:修改:建议:20010202分配:20010201类别:科幻参考:BUGTRAQ: 20001226在libsecure缓冲区溢出(NSA安全增强型Linux)参考:网址:http://www.securityfocus.com/archive/1/153188参考:报价:2154参考:网址:http://www.securityfocus.com/bid/2154缓冲区溢出find_default_type函数在国家安全局libsecure安全增强型Linux,这可能允许攻击者修改关键数据在内存中。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 0073 3供应商确认:投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 0074网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 0074最终决定:阶段性裁决:修改:建议:20010202分配:20010201类别:科幻参考:BUGTRAQ: Technote 20001223参考:网址:http://www.securityfocus.com/archive/1/153007参考:报价:2155参考:网址:http://www.securityfocus.com/bid/2155目录遍历的脆弱性。cgi技术允许远程攻击者读取任意文件通过一个. .在董事会参数(点点)攻击。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 0074 3供应商确认:投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 0075网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 0075最终决定:阶段性裁决:修改:建议:20010202分配:20010201类别:科幻参考:BUGTRAQ: 20001227 (Ksecurity咨询)主要。cgi技术参考:网址:http://www.securityfocus.com/archive/1/153212参考:报价:2156参考:网址:http://www.securityfocus.com/bid/2156目录遍历在主要弱点。cgi技术允许远程攻击者读取任意文件通过一个. .(点点)攻击在文件名参数。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 0075 3供应商确认:内容决定:SF-EXEC, SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 0076网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 0076最终决定:阶段性裁决:修改:建议:20010202分配:20010201类别:科幻参考:BUGTRAQ: 20001228远程漏洞Ikonboard到版本2.1.7b参考:网址:http://archives.neohapsis.com/archives/bugtraq/2000-12/0483.html参考:报价:2157参考:网址:http://www.securityfocus.com/bid/2157参考:XF: http-cgi-ikonboard参考:网址:http://xforce.iss.net/static/5819.php登记。cgi的Ikonboard 2.1.7b早些时候,允许远程攻击者通过SEND_MAIL执行任意命令参数,覆盖一个内部程序变量引用程序执行。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 0076 3供应商确认:未知discloser-claimed投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 0084网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 0084最终决定:阶段性裁决:修改:建议:20010202分配:20010201类别:科幻参考:BUGTRAQ: 20010102 gtk +的安全漏洞。参考网址:http://archives.neohapsis.com/archives/bugtraq/2000-12/0498.html参考:BUGTRAQ: 20010103声称脆弱性GTK_MODULES参考:网址:http://archives.neohapsis.com/archives/bugtraq/2001-01/0027.html参考:报价:2165参考:网址:http://www.securityfocus.com/bid/2165参考:MISC:http://www.gtk.org/setuid.htmlGTK +库允许本地用户指定任意模块通过GTK_MODULES环境变量,这可能允许本地用户获得特权如果使用GTK +一个setuid / setgid程序。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 0084 3供应商确认:没有包含:GTK +团队声称使用GTK + setuid / setgid程序本质上是有风险的,所以GTK_MODULES变量构成没有额外风险,因此它不是一个弱点。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 0087网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 0087最终决定:阶段性裁决:修改:建议:20010202分配:20010201类别:科幻参考:BUGTRAQ: 20001219 itetris [v1.6.2]当地根利用(系统()+ . ./保护)参考:网址:http://archives.neohapsis.com/archives/bugtraq/2000-12/0295.html参考:报价:2139参考:网址:http://www.securityfocus.com/bid/2139参考:XF: itetris-svgalib-path参考:网址:http://xforce.iss.net/static/5795.phpitetris / xitetris 1.6.2和早些时候信托PATH环境变量找到并执行gunzip程序,它允许本地用户获得根权限通过改变路径,使它指向一个恶意gunzip程序。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 0087 3供应商确认:投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 0097网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 0097最终决定:阶段性裁决:修改:建议:20010202分配:20010201类别:科幻参考:BUGTRAQ: 20001221无限交换DoS参考:网址:http://www.securityfocus.com/archive/1/152403参考:报价:2140参考:网址:http://www.securityfocus.com/bid/2140参考:XF: infinite-interchange-dos参考:网址:http://xforce.iss.net/static/5798.php无限的Web界面交换3.6.1允许远程攻击者造成拒绝服务(应用程序崩溃)通过POST请求。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 0097 3供应商确认:投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 0098网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 0098最终决定:阶段性裁决:修改:建议:20010202分配:20010201类别:科幻参考:BUGTRAQ: 20001219 def - 2000 - 04: Bea WebLogic Server dotdot-overflow参考:网址:http://archives.neohapsis.com/archives/bugtraq/2000-12/0331.html参考:报价:2138参考:网址:http://www.securityfocus.com/bid/2138参考:XF: weblogic-dot-bo参考:网址:http://xforce.iss.net/static/5782.php缓冲区溢出在Bea WebLogic Server 5.1.0允许远程攻击者执行任意命令通过一个长URL,始于“. .”字符串。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 0098 3供应商确认:未知discloser-claimed投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 0102网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 0102最终决定:阶段性裁决:修改:建议:20010202分配:20010201类别:科幻参考:BUGTRAQ: 20001229 Mac OS 9多个用户控制面板密码漏洞参考:网址:http://archives.neohapsis.com/archives/bugtraq/2000-12/0497.html参考:XF: macos-multiple-users参考:网址:http://xforce.iss.net/static/5830.php“多个用户”控制面板在Mac OS 9允许普通用户获得所有者权限通过删除数据文件的用户和组,有效地消除了所有者密码和允许普通用户作为所有者帐户登录密码。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 0102 3供应商确认:投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论: