(提案)集群最近- 82 - 44的候选人

来:cve-editorial-board-list@lists.mitre.org
主题(建议):最近集群- 82 - 44的候选人
从:“史蒂文·m·Christey " <coley@linus.mitre.org>
日期:2002年3月15日,星期五01:12:52 -0500(美国东部时间)
交货日期:2002年3月15日01:12:56星期五
发送方:owner-cve-editorial-board-list@lists.mitre.org
我最近提出集群——82年由编辑委员会审查和投票。名称:最近- 82描述:候选人宣布12/8/2001与12/31/2001大小:44通过修改这封邮件你可能投票的候选人投票,将它寄回给我,或通过使用CVE投票网站。中列出的候选人优先秩序。优先级1和优先级2的候选人都应对不同层次的供应商确认,所以他们应该易于检查和可以信任的,是真实的问题。如果你发现任何RECENT-XX集群是不完整的对过程中发现的问题相关的时间框架,请发送信息给我,这样候选人可以被指定。——史蒂夫总结的选票使用(“严重程度”的按升序)- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -接受——选民接受候选人提出等待——选民对候选人没有意见修改选民想要改变一些小细节(例如参考/描述)审查-选民正在审查/研究候选人,或需要更多的信息,重塑候选人必须大幅修改,如分割或合并拒绝候选人不是“漏洞”,或重复等。1)请写你的投票在直线上,从“投票:”开始。如果你想添加评论或细节,在投票后将它们添加到线:线。2)如果你看到任何失踪的引用,请提及他们,使他们可以包括在内。在映射引用帮助极大。3)请注意,“修改”被视为一个“接受”当计算选票。 So if you don't have sufficient information for a candidate but you don't want to NOOP, use a REVIEWING. ********** NOTE ********** NOTE ********** NOTE ********** NOTE ********** Please keep in mind that your vote and comments will be recorded and publicly viewable in the mailing list archives or in other formats. ====================================================== Candidate: CAN-2001-1193 URL:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1193最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20011213 EFTP 2.0.8.346目录内容披露参考:网址:http://www.securityfocus.com/archive/1/245393参考:确认:http://www.eftp.org/releasehistory.html参考:报价:3691参考:网址:http://www.securityfocus.com/bid/3691目录遍历脆弱性EFTP 2.0.8.346允许本地用户阅读目录通过…慢性消耗病(修改点点)命令。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1193 1供应商确认:是的、确认:发布历史上的条目2.0.8.347版本,日期为12月12日说:“固定的一个安全缺陷,用户可以inadvertantly改变目录通过改变的…“投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION,或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1199网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1199最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20011217 Agoracgi v3.3e跨站脚本漏洞参考:网址:http://www.securityfocus.com/archive/1/246044参考:确认:http://www.agoracgi.com/security.html参考:报价:3702参考:网址:http://www.securityfocus.com/bid/3702参考:XF: agora-cgi-css(7708)参考:网址:http://www.iss.net/security_center/static/7708.php跨站点脚本漏洞在集市。cgi为集会通过3.0 4.0克,当启用了调试模式,允许远程攻击者通过cart_id其他客户机上执行Javascript参数。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1199 1供应商确认:是的咨询确认:Agoracgi安全页面说“跨站点脚本漏洞示威(错误地描述为运行在3。x商店)不使用这个补丁安装…没有存储版本3.0到4.0 g应该没有这个补丁”投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION,或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1201网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1201最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20011217新咨询+利用参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=100863301405266&w=2参考:BUGTRAQ: 20011218 wmcube-gdk容易受到当地利用参考:网址:http://online.securityfocus.com/archive/1/246273参考:确认:http://www.ne.jp/asahi/linux/timecop/software/wmcube gdk p2.tar.gz——0.98参考:报价:3706参考:网址:http://www.securityfocus.com/cgi-bin/vulns-item.pl?section=info&id=3706参考:XF: wmcubegdk-object-file-bo(7720)参考:网址:http://www.iss.net/security_center/static/7720.php缓冲区溢出的wmcube-gdk WMCube / GDK 0.98允许本地用户执行任意代码通过在对象描述文件。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1201 1供应商确认:是的确认:更改文件wmcube p2.tar——gdk - 0.98。广州包含一个条目日期为20011218,声明“下降kmem特权,都在FreeBSD kvm。”Given the timing of this file relative to the Bugtraq announcement, and the fact that it would fix the issue being discussed in this item, there is sufficient acknowledgement. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2001-1203 URL:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1203最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:DEBIAN: dsa - 095参考:网址:http://www.debian.org/security/2001/dsa - 095格式字符串漏洞在流量gpm-root 1.17.8通过1.17.18允许本地用户获得根权限。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1203 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1215网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1215最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20011220 [CERT-intexxia] pfinger格式字符串漏洞参考:网址:http://www.securityfocus.com/archive/1/246656参考:确认:http://www.xelia.ch/unix/pfinger/ChangeLog参考:XF: pfinger-plan-format-string(7742)参考:网址:http://www.iss.net/security_center/static/7742.php参考:报价:3725参考:网址:http://online.securityfocus.com/bid/3725格式字符串漏洞在PFinger 0.7.5通过0.7.7允许远程攻击者执行任意代码通过格式字符串.plan文件说明符。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1215 1供应商确认:是的、确认:在更改日志,入境日期为2001-12-19说“安全解决办法:恶意本地用户可以引起一个坏格式字符串”和信贷揭露者。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0057网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0057最终决定:阶段性裁决:修改:建议:20020315分配:20020202类别:科幻参考:BUGTRAQ: 20011214 MSIE6可以读取本地文件参考:网址:http://archives.neohapsis.com/archives/bugtraq/2001-12/0152.html参考:BUGTRAQ: 20020212更新ms02 - 005块,洞仍然参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101366383408821&w=2参考:女士:ms02 - 008参考:网址:http://www.microsoft.com/technet/security/bulletin/ms02 - 008. - asp参考:报价:3699参考:网址:http://online.securityfocus.com/bid/3699XMLHTTP控制微软XML核心服务2.6和以后不妥善处理IE安全区域设置,它允许远程攻击者读取任意文件通过指定一个本地文件作为XML数据源。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0057 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1184网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1184最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20011208 Winsock RSHD / NT 2.20.00 CPU overusage无效数据时发送参考:网址:http://www.securityfocus.com/archive/1/244580参考:BUGTRAQ: 20011213 WRSHDNT 2.21.00 CPU overusage参考:网址:http://online.securityfocus.com/archive/1/245405参考:确认:http://www.denicomp.com/rshdnt.htm参考:XF: winsock-rshdnt-error-dos(7694)参考:网址:http://www.iss.net/security_center/static/7694.php参考:报价:3659参考:网址:http://www.securityfocus.com/bid/3659wrshdsp。exe在Denicomp Winsock RSHD / NT 2.21.00和早些时候允许远程攻击者将导致拒绝服务(CPU消耗)通过(1)在2.20.00和早些时候,一个无效的端口号,例如一个负数,导致连接尝试港口和港口低于1024,和(2)在2.21.00,端口号是1024。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1184 3供应商确认:是的更新日志内容决定:SF-LOC确认:更新日志的评论版2.21.00说:“如果恶意用户写了一rsh-like客户机发送一个负数stderr端口,wrshdsp。exe进程将进入长期循环,消耗CPU周期。”ABSTRACTION: The vendor did not completely fix the original problem, so the 2 separate attack scenarios are merged into a single item. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2001-1185 URL:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1185最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20011210 AIO脆弱性参考:网址:http://www.securityfocus.com/archive/1/244583参考:XF: bsd-aio-overwrite-memory(7693)参考:网址:http://www.iss.net/security_center/static/7693.php参考:报价:3661参考:网址:http://www.securityfocus.com/bid/3661一些AIO操作在FreeBSD 4.4可能推迟到调用execve之后,这可能允许本地用户覆盖内存的进程,并获得特权。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1185 3供应商确认:投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1186网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1186最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20011211微软IIS / 5虚假内容长度错误。参考网址:http://www.securityfocus.com/archive/1/244892参考:BUGTRAQ: 20011211 Microsoft IIS / 5虚假内容长度错误记忆攻击参考:网址:http://online.securityfocus.com/archive/1/244931参考:BUGTRAQ: 20011212 Microsoft IIS / 5.0内容长度DoS(证明)参考:网址:http://online.securityfocus.com/archive/1/245100参考:报价:3667参考:网址:http://www.securityfocus.com/bid/3667参考:XF: iis-false-content-length-dos(7691)参考:网址:http://www.iss.net/security_center/static/7691.phpMicrosoft IIS 5.0允许远程攻击者造成拒绝服务通过一个HTTP请求的内容长度值大于请求的大小,防止IIS超时的连接。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1186 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1187网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1187最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20011211 CSVForm (Perl CGI)远程执行漏洞参考:网址:http://online.securityfocus.com/archive/1/244908参考:报价:3668参考:网址:http://online.securityfocus.com/bid/3668参考:XF: csvform-cgi-execute-commands(7692)参考:网址:http://www.iss.net/security_center/static/7692.phpcsvform。pl 0.1允许远程攻击者通过元字符在文件执行任意命令参数。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1187 3供应商确认:投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1188网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1188分配最终决定:阶段性裁决:修改:建议:20020315:20020315类别:科幻参考:BUGTRAQ: 20011211垃圾邮件发送者喜悦:一样软弱无力的可以参考:网址:http://www.securityfocus.com/archive/1/244909参考:报价:3669参考:网址:http://www.securityfocus.com/bid/3669mailto。exe在布莱恩Dorricott MAILTO 1.0.9早些时候,允许远程攻击者发送垃圾邮件的电子邮件通过修改发送到远程服务器,电子邮件,服务器,主题和resulturl隐藏表单字段。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1188 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1189网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1189最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20011213 IBM WebSphere在UNIX安全警报!参考网址:http://www.securityfocus.com/archive/1/245324参考:报价:3682参考:网址:http://www.securityfocus.com/bid/3682参考:XF: websphere-java-plaintext-passwords(7698)参考:网址:http://www.iss.net/security_center/static/7698.phpIBM Websphere Application Server 3.5.3和早些时候在sas.server明文存储密码。道具的文件,它允许本地用户获取密码通过JSP脚本。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1189 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1190网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1190最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:参考:曼德拉草:MDKSA-2001:091参考:网址:http://www.linux mandrake.com/en/security/2001/mdksa - 2001 - 091. - php3参考:报价:3683参考:网址:http://www.securityfocus.com/bid/3683参考:XF: linux-passwd-weak-encryption(7706)参考:网址:http://www.iss.net/security_center/static/7706.php默认PAM文件包含passwd Mandrake Linux 8.1不支持MD5密码,导致密码安全级别低于预期。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1190 3供应商确认:对咨询内容的决定:模糊包含:咨询是不清楚的具体影响违约PAM文件。然而,由于这来自一个供应商咨询,CD:模糊表明它应该包含在CVE。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1191网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1191最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20011211 Webseal 3.8参考:网址:http://www.securityfocus.com/archive/1/245283参考:报价:3685参考:网址:http://www.securityfocus.com/bid/3685在IBM Tivoli WebSeal SecureWay政策主管3.8允许远程攻击者造成拒绝服务(崩溃)通过一个URL,以% 2 e。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1191 3供应商确认:未知的内容决定:SF-LOC抽象:cve - 2001 - 0982在WebSEAL描述目录遍历问题,有关% 2 e。似乎在试图解决这个问题,供应商引入了一个新类型的问题。因为CD: SF-LOC建议将不同类型的问题,这个项目应该分开cve - 2001 - 0982。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1192网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1192最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20011213 Kikkert安全顾问:潜在的严重安全漏洞在Citrix客户端参考:网址:http://www.securityfocus.com/archive/1/245342参考:报价:3688参考:网址:http://www.securityfocus.com/cgi-bin/vulns-item.pl?section=info&id=3688Citrix独立计算架构(ICA)客户端为Windows 6.1允许远程执行任意代码通过一个恶意网站。ICA文件,由客户端下载并自动执行。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1192 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1194网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1194最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20011214合勤科技声望681年和1600年(可能其他?)远程DoS参考:网址:http://www.securityfocus.com/archive/1/245498参考:BUGTRAQ: 20011218 Re:合勤科技声望681年和1600年(可能其他?)远程DoS参考:网址:http://www.securityfocus.com/archive/1/246182参考:报价:3695参考:网址:http://www.securityfocus.com/bid/3695合勤科技681年和1600年声望SDSL路由器允许远程攻击者通过畸形引起拒绝服务与(1)IP数据包长度小于实际数据包大小,或(2)重新组装后支离破碎的数据包的大小超过64 kb。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1194 3供应商确认:未知的内容决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1195网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1195最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20011215 Novell Groupwise网关servlet默认用户名和密码参考:网址:http://www.securityfocus.com/archive/1/245871参考:确认:http://support.novell.com/cgi-bin/search/searchtid.cgi?/10067329.htm参考:XF: groupwise-servlet-manager-default(7701)参考:网址:http://www.iss.net/security_center/static/7701.php参考:报价:3697参考:网址:http://online.securityfocus.com/bid/3697Novell Groupwise Servlet 5.5和6.0网关安装与Servlet的默认用户名和密码管理器,它允许远程攻击者获得特权。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1195 3供应商确认:对咨询内容的决定:CF-PASS ACKNOWLEGDEMENT: Novell确认仅为5.5。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1196网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1196最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20011217 webmin 0.91 . . / . .问题参考:网址:http://www.securityfocus.com/archive/1/245980参考:BUGTRAQ: 20011218 Re: webmin 0.91 . . / . .问题参考:网址:http://marc.theaimsgroup.com/?l=webmin-l&m=100865390306103&w=2参考:报价:3698参考:网址:http://www.securityfocus.com/bid/3698参考:XF: webmin-dot-directory-traversal(7711)参考:网址:http://www.iss.net/security_center/static/7711.php目录遍历edit_action脆弱性。Webmin的cgi目录0.91允许攻击者获得特权通过“. .(点点)的论点。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1196 3供应商确认:没有争议包括:供应商声称root特权已经要求编辑启动操作。如果是这样,那么攻击者不会获得任何特权之外他们已经有什么,所以它不会是一个弱点。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1197网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1197最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20011214 klprfax_filter符号链接漏洞参考:网址:http://www.securityfocus.com/archive/1/245500参考:BUGTRAQ: 20011214 Re: klprfax_filter符号链接漏洞参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=100837486611350&w=2参考:报价:3694参考:网址:http://www.securityfocus.com/bid/3694在KDE2 klprfax_filter KDEUtils允许本地用户覆盖通过符号链接攻击klprfax任意文件。临时文件进行过滤。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1197 3供应商确认:未知discloser-claimed投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1198网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1198最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20011215 hp - ux setuid rlpdaemon诱导使非法文件参考写道:网址:http://www.securityfocus.com/archive/1/245690参考:报价:3701参考:网址:http://www.securityfocus.com/bid/3701参考:XF: hp-rlpd-create-log(7729)参考:网址:http://www.iss.net/security_center/static/7729.phpRLPDaemon在hp - ux 10.20和11.0允许本地用户覆盖任意文件并获得特权- l选项指定目标文件。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1198 3供应商确认:未知的模糊的内容决定:模糊的抽象:这听起来类似于- 2001 - 0817,但国际空间站/惠普报告项目是模糊的。然而,可以远程- 2001 - 0817是可利用的。对于本例,局部可采,它似乎并不像一个远程攻击者能够指定可选的日志文件。假设这是真的,然后通过CD: SF-LOC,这个问题应该区别对待。此外,国际空间站创造了独立的XF参考这个问题;他们的“内部信息”- 2001 - 0817将因此进一步说明这些不同的问题。这个问题说的大参考hpsbux0111 - 176修复这个问题,但这是不确定是否大参考*假设*这是固定因为rlpdaemon提到的咨询。问题是hpsbux0111 - 176太模糊,事实上只提到“a”(即脆弱性。一个问题),多半国际空间站。然而,大参考8月8日说,他们通知惠普,这可能让惠普hpsbux0111 - 176年的时间来解决这个问题。 This is an interesting demonstration of the impact of vague advisories on *other* issues that aren't vaguely described. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2001-1200 URL:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1200最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20011217 XP下热键权限绕过参考:网址:http://www.securityfocus.com/archive/1/246014参考:报价:3703参考:网址:http://www.securityfocus.com/bid/3703参考:XF: winxp-hotkey-execute-programs(7713)参考:网址:http://www.iss.net/security_center/static/7713.php微软Windows XP允许本地用户绕过一个锁定的屏幕和运行某些程序与热相关的钥匙。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1200 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1202网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1202最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20011228委托跨站脚本漏洞参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=100956050432351&w=2参考:报价:3749参考:网址:http://online.securityfocus.com/bid/3749参考:XF: delegate-proxy-css(7745)参考:网址:http://www.iss.net/security_center/static/7745.php跨站点脚本漏洞在委托7.7.0 7.7.1不引用脚本命令在“403”禁止错误页面,它允许远程攻击者执行任意Javascript在其他客户通过一个URL生成一个错误。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1202 3供应商确认:未知空间。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1204网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1204最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20011228 PHP火箭插件(文件横向脆弱性)参考:网址:http://www.securityfocus.com/archive/1/247559参考:报价:3751参考:网址:http://www.securityfocus.com/bid/3751目录遍历脆弱性phprocketaddin总电脑解决方案PHP火箭插件网页制作1.0允许远程攻击者读取任意文件通过一个. .(点点)页面参数。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1204 3供应商确认:没有投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1205网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1205最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20011230 lastline。cgi路径遍历和命令执行vulns参考:网址:http://www.securityfocus.com/archive/1/247710参考:报价:3754参考:网址:http://www.securityfocus.com/bid/3754目录遍历lastline脆弱性。cgi为去年2.0允许远程攻击者读取任意文件通过一个“. .”(点点)攻击。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1205 3供应商确认:未知的内容决定:SF-LOC抽象:CD: SF-LOC显示一个分成不同的问题类型,因此不同的CVE创建项目目录遍历和shell元字符。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1206网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1206最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:参考:BUGTRAQ: 20011230 lastline。cgi路径遍历和命令执行vulns参考:网址:http://www.securityfocus.com/archive/1/247710参考:报价:3755参考:网址:http://www.securityfocus.com/bid/3755矩阵CGI库去年2.0允许远程攻击者执行任意命令行未能验证shell元字符。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1206 3供应商确认:未知的内容决定:SF-LOC抽象:CD: SF-LOC显示一个分成不同的问题类型,因此不同的CVE创建项目目录遍历和shell元字符。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1207网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1207最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20011230白日梦BBS缓冲区溢位参考:网址:http://www.securityfocus.com/archive/1/247708参考:确认:http://www.cs.uku.fi/ hlyytine /白日梦- 2.11 /更新日志参考:报价:3757参考:网址:http://www.securityfocus.com/bid/3757参考:XF: daydream-bbs-control-code-bo(7755)参考:网址:http://www.iss.net/security_center/static/7755.php缓冲区溢出的白日梦BBS 2.9到2.13允许远程攻击者可能通过控制代码执行任意代码(1)~ # MC,(2) ~ #特遣部队,或(3)~ # RA。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1207 3供应商确认:是的更新日志内容决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1208网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1208最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20011231白日梦BBS格式字符串的问题。参考网址:http://marc.theaimsgroup.com/?l=bugtraq&m=100977623710528&w=2格式字符串漏洞在白日梦论坛允许远程攻击者通过格式字符串执行任意代码说明符在一个文件中包含一个~ # RA控制代码。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1208 3供应商确认:未知的内容决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1209网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1209最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20011231 blackshell2: zml。cgi远程利用参考:网址:http://www.securityfocus.com/archive/1/247742参考:VULNWATCH: 20011231 [VULNWATCH] blackshell2: zml。cgi远程利用参考:网址:http://archives.neohapsis.com/archives/vulnwatch/2001-q4/0086.html参考:MISC:http://www.jero.cc/zml/zml.html参考:报价:3759参考:网址:http://www.securityfocus.com/bid/3759参考:XF: zml-cgi-directory-traversal(7751)参考:网址:http://www.iss.net/security_center/static/7751.php目录遍历zml脆弱性。cgi允许远程攻击者读取任意文件通过一个. .(点点)文件中的参数。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1209 3供应商确认:没有争议内容决定:包容包容:zml的作者。cgi程序说,不是他的脆弱的版本,这zml。cgi参数并不需要一个文件。如果这是一个适应zml。cgi程序,适应不是一般可用,那么它不应该包含在CVE。几乎所有的点击“zml谷歌。cgi”引用报告的漏洞,搜索“zml”没有出现任何明显的web页面,所以不能确定如果还有另一个产品,使用一个名为zml.cgi的脚本。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1210网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1210最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20011230可能的安全问题与思科ubr900系列路由器参考:网址:http://www.securityfocus.com/archive/1/247718参考:报价:3758参考:网址:http://online.securityfocus.com/bid/3758参考:XF: cisco-docsis-default-strings(7806)参考:网址:http://www.iss.net/security_center/static/7806.php思科ubr900系列路由器符合Data-over-Cable服务接口规范(DOCSIS)标准必须船没有SNMP访问限制,它可以允许远程攻击者读取和写入信息,使用任意的MIB社区字符串。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1210 3供应商确认:未知discloser-claimed内容决定:CF投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1211网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1211最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20011231 IMail Web服务用户别名/邮件列表管理漏洞参考:网址:http://www.securityfocus.com/archive/1/247786参考:MISC:http://support.ipswitch.com/kb/im dm02.htm——20020301参考:MISC:http://support.ipswitch.com/kb/im dm01.htm——20011219参考:报价:3766参考:网址:http://www.securityfocus.com/bid/3766参考:XF: imail-admin-domain-change(7752)参考:网址:http://www.iss.net/security_center/static/7752.phpIpswitch IMail 7.0.4早些时候,允许攻击者使用管理员权限来阅读和修改用户别名和邮件列表信息主办的其他领域相同的服务器通过(1)或(2)aliasadmin listadm1 CGI程序,不正确验证管理员管理员为目标域。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1211 3供应商确认:未知的模糊的承认:IMail 7.06的发布说明说“固定远程处理信息管理器上设置”。However, this item is not labeled as a security fix, nor is it specific enough to be certain. The release notes for 7.05 say "iWebMsg: List, rule and alias security hacks thwarted," which sounds more like the issue, but it's still not quite clear enough to be certain that the vendor has acknowledged the problem, especially since there are additional reports of *different* vulnerabilities in the same version. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2001-1212 URL:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1212最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20011218 Aktivate购物系统跨站脚本漏洞参考:网址:http://www.securityfocus.com/archive/1/246274参考:XF: aktivate-shopping-css(7717)参考:网址:http://www.iss.net/security_center/static/7717.php参考:报价:3714参考:网址:http://online.securityfocus.com/bid/3714在catgy跨站脚本漏洞。cgi Aktivate 1.03允许远程攻击者通过desc参数执行任意Javascript。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1212 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1213网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1213最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20011218 FTPXQ默认安装读/写功能参考:网址:http://www.securityfocus.com/archive/1/246285参考:XF: ftpxq-default-permissions(7715)参考:网址:http://www.iss.net/security_center/static/7715.php参考:报价:3716参考:网址:http://online.securityfocus.com/bid/3716的默认配置DataWizard FtpXQ 2.0和2.1包含一个默认的用户名和密码,远程攻击者可以读取和写入任意文件在根文件夹中。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1213 3供应商确认:未知discloser-claimed内容决定:CF-PASS投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1214网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1214最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20011215 *警报*“Unix手册”php脚本允许任意代码执行参考:网址:http://www.securityfocus.com/archive/1/247332参考:XF: unixmanual-php-command-execution(7719)参考:网址:http://www.iss.net/security_center/static/7719.php参考:报价:3718参考:网址:http://online.securityfocus.com/bid/3718手册。php在马库斯s Xenakis Unix手册1.0允许远程攻击者通过一个URL执行任意代码,其中包含shell元字符。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1214 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1216网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1216最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20011221缓冲区溢出在Oracle 9 ias (# NISR20122001)参考:网址:http://www.securityfocus.com/archive/1/246663参考:确认:http://otn.oracle.com/deploy/security/pdf/modplsql.pdf参考:CERT-VN: VU # 500203参考:网址:http://www.kb.cert.org/vuls/id/500203参考:XF: oracle-appserver-modplsql-bo(7727)参考:网址:http://www.iss.net/security_center/static/7727.php参考:报价:3726参考:网址:http://www.securityfocus.com/bid/3726在PL / SQL缓冲区溢出Apache模块在Oracle 9 i应用服务器允许远程攻击者执行任意代码通过一个请求帮助页面。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1216 3供应商确认:对咨询内容的决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1217网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1217最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20011221缓冲区溢出在Oracle 9 ias (# NISR20122001)参考:网址:http://www.securityfocus.com/archive/1/246663参考:确认:http://otn.oracle.com/deploy/security/pdf/modplsql.pdf参考:XF: oracle-appserver-modplsql-traversal(7728)参考:网址:http://www.iss.net/security_center/static/7728.php参考:报价:3727参考:网址:http://www.securityfocus.com/bid/3727参考:CERT-VN: VU # 758483参考:网址:http://www.kb.cert.org/vuls/id/758483目录遍历脆弱性在Oracle PL / SQL Apache模块Oracle 9 i应用服务器允许远程攻击者访问敏感信息通过双重编码的URL . .(点点)序列。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1217 3供应商确认:对咨询内容的决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1218网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1218最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20011220 E5 (SP1) X服务器崩溃Solaris2.6中文版参考:网址:http://www.securityfocus.com/archive/1/246611参考:报价:3729参考:网址:http://online.securityfocus.com/bid/3729微软Internet Explorer Unix 5.0 sp1允许本地用户可能导致拒绝服务(崩溃)CDE或X服务器在Solaris 2.6迅速滚动汉字或最大化窗口。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1218 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1219网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1219最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20011220 MSIE DoS使用javascript参考:网址:http://www.securityfocus.com/archive/1/246649参考:报价:3730参考:网址:http://online.securityfocus.com/bid/3730微软Internet Explorer 6.0和更早的版本允许恶意网站运营商造成拒绝服务(通过JavaScript客户端崩溃),不断刷新窗口通过。location。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1219 3供应商确认:未知的内容决定:EX-CLIENT-DOS包含:当前版本的CD: EX-CLIENT-DOS表明如果有客户端只能通过被动攻击利用DoS,如果范围仅局限于应用程序,它可以固定重启,然后不应包括在CVE的问题。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1220网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1220最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20011221友讯科技设计水线- 1000美联社可以妥协,因为SNMP配置参考:网址:http://www.securityfocus.com/archive/1/246849参考:报价:3735参考:网址:http://www.securityfocus.com/bid/3735参考:XF: dlink-ap-public-mib(7733)参考:网址:http://www.iss.net/security_center/static/7733.php友讯科技设计水线据美联社固件3.2.28 # 483 - 1000无线局域网接入点的管理密码明文存储在默认的管理信息库(MIB),它允许远程攻击者获得管理权限。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1220 3供应商确认:未知discloser-claimed内容决定:SF-LOC, DESIGN-NO-ENCRYPTION抽象:CD: SF-LOC建议分成不同类型的问题。(缺乏一个问题是一个明文密码加密)的范围仅限于那些知道社区字符串——然而,社区有一个默认的字符串,这是一个不同类型的问题(默认),使问题比它可能最初是明文密码,但这仍然是一个问题,即使有一个非默认社区字符串。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1221网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1221最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20011221友讯科技设计水线- 1000美联社可以妥协,因为SNMP配置参考:网址:http://www.securityfocus.com/archive/1/246849参考:报价:3736参考:网址:http://www.securityfocus.com/bid/3736友讯科技设计水线据美联社固件3.2.28 # 483 - 1000无线局域网接入点使用一个默认的SNMP社区字符串“公众”,允许远程攻击者获得敏感信息。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1221 3供应商确认:未知discloser-claimed内容决定:SF-LOC, CF-PASS抽象:CD: SF-LOC建议分成不同类型的问题。(缺乏一个问题是一个明文密码加密)的范围仅限于那些知道社区字符串——然而,社区有一个默认的字符串,这是一个不同类型的问题(默认),使问题比它可能最初是明文密码,但这仍然是一个问题,即使有一个非默认社区字符串。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1222网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1222最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20011221 twlc咨询:plesk (psa)允许阅读。php文件参考:网址:http://www.securityfocus.com/archive/1/246861参考:报价:3737参考:网址:http://www.securityfocus.com/bid/3737参考:XF: psa-php-reveal-source(7735)参考:网址:http://www.iss.net/security_center/static/7735.phpPlesk服务器管理员(PSA) 1.0允许远程攻击者获得PHP源代码通过HTTP请求包含目标IP地址和一个有效的帐户名称的域。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1222 3供应商确认:未知discloser-claimed投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1223网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1223最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20011226凤凰Sistemi安全顾问:埃尔莎Lancom 1100办公室安全问题参考:网址:http://www.securityfocus.com/archive/1/247274参考:报价:3746参考:网址:http://www.securityfocus.com/bid/3746参考:XF: elsa-lancom-web-administration(7739)参考:网址:http://www.iss.net/security_center/static/7739.php网络管理服务器1100年埃尔莎Lancom办公室不需要身份验证,它允许任意远程攻击者获得管理权限通过连接到服务器。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1223 3供应商确认:未知的内容决定:DESIGN-NO-AUTH投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1224网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1224最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20011223火鸡CGI马拉松# 001参考:网址:http://www.securityfocus.com/archive/1/246994参考:报价:3739参考:网址:http://www.securityfocus.com/bid/3739参考:XF: adrotate-sql-execute-commands(7736)参考:网址:http://www.iss.net/security_center/static/7736.phpget_input adrotate。点为莱斯VanBrunt AdRotate Pro 2.0允许远程攻击者修改数据库和可能通过SQL代码注入攻击执行任意命令。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1224 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1225网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1225最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20011226 msql DoS参考:网址:http://www.securityfocus.com/archive/1/247222参考:报价:3742参考:网址:http://www.securityfocus.com/bid/3742参考:XF: msql-char-array-dos(7746)参考:网址:http://www.iss.net/security_center/static/7746.php休斯技术迷你SQL 2.0.10通过2.0.12允许本地用户造成拒绝服务通过创建一个非常大的数组表中,导致miniSQL表查询时崩溃。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1225 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1226网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1226最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20011225火鸡CGI马拉松# 002参考:网址:http://www.securityfocus.com/archive/1/247126参考:报价:3741参考:网址:http://www.securityfocus.com/bid/3741参考:XF: adcycle-modify-sql-query(7762)参考:网址:http://www.iss.net/security_center/static/7762.phpAdCycle 1.17和更早的允许远程攻击者修改SQL查询,不正确消毒之前被传递到MySQL数据库。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1226 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论: