(提案)集群最近- 83 - 52的候选人

我最近提出集群——83年由编辑委员会审查和投票。名称:最近- 83描述:候选人宣布1/2/2002和1/21/2002之间尺寸:52通过修改这封邮件你可能投票的候选人投票,将它寄回给我,或通过使用CVE投票网站。中列出的候选人优先秩序。优先级1和优先级2的候选人都应对不同层次的供应商确认,所以他们应该易于检查和可以信任的,是真实的问题。如果你发现任何RECENT-XX集群是不完整的对过程中发现的问题相关的时间框架,请发送信息给我,这样候选人可以被指定。——史蒂夫总结的选票使用(“严重程度”的按升序)- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -接受——选民接受候选人提出等待——选民对候选人没有意见修改选民想要改变一些小细节(例如参考/描述)审查-选民正在审查/研究候选人,或需要更多的信息,重塑候选人必须大幅修改,如分割或合并拒绝候选人不是“漏洞”,或重复等。1)请写你的投票在直线上,从“投票:”开始。如果你想添加评论或细节,在投票后将它们添加到线:线。2)如果你看到任何失踪的引用,请提及他们,使他们可以包括在内。在映射引用帮助极大。3)请注意,“修改”被视为一个“接受”当计算选票。 So if you don't have sufficient information for a candidate but you don't want to NOOP, use a REVIEWING. ********** NOTE ********** NOTE ********** NOTE ********** NOTE ********** Please keep in mind that your vote and comments will be recorded and publicly viewable in the mailing list archives or in other formats. ====================================================== Candidate: CAN-2002-0096 URL:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0096最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20020103脆弱性在Geeklog 1.3参考:新用户创建URL:http://www.securityfocus.com/archive/1/248367参考:确认:http://geeklog.sourceforge.net/index.php?topic=Security参考:报价:3783参考:网址:http://www.securityfocus.com/bid/3783参考:XF: geeklog-default-admin-privileges(7780)参考:网址:http://www.iss.net/security_center/static/7780.php安装Geeklog 1.3创建一个额外的group_assignments记录不正确删除,导致第一个新创建的用户被添加到GroupAdmin和UserAdmin组,可以为用户提供管理权限,没有目的。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0096 1供应商确认:是的咨询确认:geeklog项目网站的“安全”页包含一个条目1月3日,2002年国家”安全修复!…第一个用户创建一个帐户访问GroupAdmin组和,随后,UserAdmin集团。”投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0097网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0097最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20020110饼干修改允许未经身份验证的用户登录Geeklog 1.3参考:网址:http://online.securityfocus.com/archive/1/249443参考:确认:http://geeklog.sourceforge.net/index.php?topic=Security参考:报价:3844参考:网址:http://online.securityfocus.com/bid/3844参考:XF: geeklog-modify-auth-cookie(7869)参考:网址:http://www.iss.net/security_center/static/7869.phpGeeklog 1.3允许远程攻击者劫持用户帐户,包括管理员帐户,通过修改用户的UID的永久cookie到目标帐户。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0097 1供应商确认:未知的确认:在一个项目1月9日,2002年,geeklog供应商声明:“重大安全漏洞修复!…可以有你Geeklog 1.3系统被简单地编辑饼干和改变用户ID的Geeklog管理。”投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0098网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0098最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20020105 BOOZT !标准的政府cgi脆弱的缓冲区溢位参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101027773404836&w=2参考:BUGTRAQ: 20020109 BOOZT !发布的标准CGI漏洞:利用参考:网址:http://online.securityfocus.com/archive/1/249219参考:确认:http://www.boozt.com/万博下载包news_detail.php?id=3参考:报价:3787参考:网址:http://online.securityfocus.com/cgi-bin/vulns-item.pl?section=info&id=3787参考:XF: boozt-long-name-bo(7790)参考:网址:http://www.iss.net/security_center/static/7790.php在索引缓冲区溢出。cgi为Boozt管理界面!标准0.9.8允许本地用户执行任意代码通过一个长名称字段,当创建一个新的旗帜。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0098 1供应商确认:是的投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0128网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0128最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20020116水鹿网络服务器v5.1 DoS脆弱性参考:网址:http://www.securityfocus.com/archive/1/250545参考:BUGTRAQ: 20020206水鹿网络服务器示例脚本v5.1 DoS脆弱性利用参考:网址:http://www.der-keiler.de/Mailing-Lists/securityfocus/bugtraq/2002-02/0083.html参考:确认:http://www.sambar.com/security.htm参考:报价:3885参考:网址:http://www.securityfocus.com/bid/3885参考:XF: sambar-cgitest-dos(7894)参考:网址:http://www.iss.net/security_center/static/7894.phpcgitest。exe在水鹿Server 5.1 Beta 4允许远程攻击者引起拒绝服务,并可能执行任意代码,通过一个长期的观点。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0128 1供应商确认:是的咨询确认:水鹿安全页面说:“之前所有版本的水鹿WWW服务器5.1 Beta 4版本很容易报告/ cgi-win / cgitest DoS攻击。exe示例应用程序”Bugtraq海报和信贷。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0139网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0139最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20020120反弹脆弱性SpoonFTP 1.1.0.1参考:网址:http://online.securityfocus.com/archive/1/251422参考:报价:3910参考:网址:http://online.securityfocus.com/bid/3910参考:确认:http://www.pi-soft.com/spoonftp/index.shtml参考:XF: spoonftp-ftp-bounce(7943)参考:网址:http://www.iss.net/security_center/static/7943.phpPi-Soft SpoonFTP 1.1和更早的允许远程攻击者将流量重定向到其他网站通过端口的命令(又名FTP反弹)。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0139 1供应商确认:是的确认:SpoonFTP州的主页“修复,防止潜在的反弹攻击反对SpoonFTP 1.2版本中添加了。”投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0107网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0107最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20020108 svindel.net安全顾问——web管理漏洞在CacheOS参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101052887431488&w=2参考:报价:3841参考:网址:http://www.securityfocus.com/bid/3841参考:BUGTRAQ: 20020205 RE: svindel.net安全顾问——web管理漏洞在Ca cheOS参考:网址:http://online.securityfocus.com/archive/1/254167参考:XF: cachos-insecure-web-interface(7835)参考:网址:http://www.iss.net/security_center/static/7835.phpWeb管理界面CacheFlow CacheOS 4.0.13早些时候,允许远程攻击者获取敏感信息通过一系列GET请求,不结束与HTTP / 1.0或另一个版本字符串,导致信息泄露的错误消息。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0107 2供应商确认:是的跟踪投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0111网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0111最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20020109文件横向漏洞在恐龙的网络服务器引用:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101062213627501&w=2参考:报价:3861参考:网址:http://online.securityfocus.com/cgi-bin/vulns-item.pl?section=info&id=3861参考:XF: dinos-webserver-directory-traversal(7853)参考:网址:http://www.iss.net/security_center/static/7853.php目录遍历脆弱性Funsoft恐龙的1.2和更早的网络服务器允许远程攻击者读取文件或执行任意命令通过一个. .(点点)的URL。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0111 2供应商确认:是的领域相符确认:电子邮件调查送到andgjens@online。没有(主题“恐龙FunSoft”) 3/11/2002, 3/12/2002确认收到。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0115网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0115最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20020110 Snort核心倾倒参考:网址:http://online.securityfocus.com/archive/1/249340参考:BUGTRAQ: 20020110 Re: Snort核心倾倒参考:网址:http://online.securityfocus.com/cgi-bin/archive.pl?id=1&start=2002-03-08&end=2002-03-14&mid=249623&threads=1参考:报价:3849参考:网址:http://online.securityfocus.com/bid/3849参考:XF: snort-icmp-dos(7874)参考:网址:http://www.iss.net/security_center/static/7874.phpSnort 1.8.3不正确定义最小ICMP头大小,它允许远程攻击者造成拒绝服务(崩溃和核心转储)通过一个畸形的ICMP数据包。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0115 2供应商确认:是的跟踪投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0123网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0123最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20020114 Web服务器4 d /电子商务3.5.3 DoS脆弱性参考:网址:http://online.securityfocus.com/archive/1/250242参考:报价:3874参考:网址:http://online.securityfocus.com/bid/3874参考:XF: ws4d-long-url-dos(7879)参考:网址:http://www.iss.net/security_center/static/7879.php目标计算机服务的Web服务器4 d WS4D /电子商务3.0和更早,甚至3.5.3,允许远程攻击者可能导致拒绝服务和执行任意命令通过一个HTTP请求。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0123 2供应商确认:是的领域相符确认:3/11/2002查询发送到support@mdg.com。响应收到3/12/2002国家”这个漏洞不是3.5.3,而是version 3.0或更早。这是前一段时间。”So, it is not entirely clear whether the discloser correctly reported the version, or if the problem was re-introduced, or appears in a slightly different distribution. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0143 URL:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0143最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20020113 Eterm SGID utmp缓冲区溢出(当地)参考:网址:http://online.securityfocus.com/archive/1/250145参考:BUGTRAQ: 20020121 Re: Eterm SGID utmp缓冲区溢出(当地)参考:网址:http://online.securityfocus.com/archive/1/251597参考:报价:3868参考:网址:http://online.securityfocus.com/bid/3868参考:XF: eterm-home-bo(7896)参考:网址:http://www.iss.net/security_center/static/7896.php缓冲区溢出的Eterm启蒙Imlib2 v1.0.4和早些时候允许本地用户执行任意代码通过一个长期的家庭环境变量。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0143 2供应商确认:是的跟踪投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0094网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0094最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20020102 BSCW:漏洞和问题参考:网址:http://www.securityfocus.com/archive/1/248000参考:MISC:http://bscw.gmd.de/WhatsNew.html参考:报价:3776参考:网址:http://www.securityfocus.com/bid/3776参考:XF: bscw-remote-shell-execution(7774)参考:网址:http://www.iss.net/security_center/static/7774.phpconfig_converters。py BSCW(基本支持合作)3。x和之前版本4.06允许远程攻击者通过执行任意命令shell元字符的文件名在文件名转换。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0094 3供应商确认:未知的模糊的承认:2001年12月21日进入供应商的“新”页面上州”新版本修复了几个bug和安全问题,“但这是太模糊,无法确定供应商已经固定的* *问题。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0095网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0095最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20020102 BSCW:漏洞和问题参考:网址:http://www.securityfocus.com/archive/1/248000参考:报价:3777参考:网址:http://www.securityfocus.com/bid/3777参考:XF: bscw-default-installation-registration(7775)参考:网址:http://www.iss.net/security_center/static/7775.php的默认配置BSCW(基本支持合作)3。x和可能版本4允许用户自注册,这可能允许远程攻击者上传文件并可能加入用户社区,旨在被关闭。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0095 3供应商确认:未知的模糊的承认:2001年12月21日进入供应商的“新”页面上州”新版本修复了几个bug和安全问题,“但这是太模糊,无法确定供应商已经固定的* *问题。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0099网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0099最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20020105专家网络服务器的缓冲区溢出漏洞参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101027722904078&w=2参考:NTBUGTRAQ: 20020109专家网络服务器的缓冲区溢出漏洞参考:网址:http://marc.theaimsgroup.com/?l=ntbugtraq&m=101062823305479&w=2参考:报价:3788参考:网址:http://online.securityfocus.com/bid/3788参考:XF: savant-long-parameter-bo(7786)参考:网址:http://www.iss.net/security_center/static/7786.php在cgi-test缓冲区溢出。pl的迈克尔•拉蒙特莎凡特Web Server 3.0允许远程攻击者造成拒绝服务(崩溃)通过HTTP请求。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0099 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0100网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0100最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20020106 AOLserver 3.4.2未经授权的文件披露漏洞参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101038936305397&w=2参考:NTBUGTRAQ: 20020109 AOLserver 3.4.2未经授权的文件披露漏洞参考:网址:http://marc.theaimsgroup.com/?l=ntbugtraq&m=101062823205474&w=2参考:报价:3791参考:网址:http://online.securityfocus.com/bid/3791参考:XF: aolserver-protected-file-access(7825)参考:网址:http://www.iss.net/security_center/static/7825.phpAOL AOLserver 3.4.2 Win32允许远程攻击者绕过身份验证和读取密码保护的文件通过一个URL直接引用该文件。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0100 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0101网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0101最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20020106 ie浏览器的Javascript非模态的弹出本地拒绝服务引用:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101039104608083&w=2参考:报价:3789参考:网址:http://online.securityfocus.com/bid/3789参考:XF: ie-modeless-dialog-dos(7826)参考:网址:http://www.iss.net/security_center/static/7826.php微软Internet Explorer 6.0和更早的版本允许本地用户造成拒绝服务通过一个非模态的对话框showModelessDialog无限循环,导致CPU使用对话框的焦点并不是释放。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0101 3供应商确认:未知的内容决定:EX-CLIENT-DOS包含:CD: EX-CLIENT-DOS指出客户端DoS,只会影响客户端不应包含在CVE。在这种情况下,据报道,CPU消耗大幅增加,所以DoS的范围并不局限于客户。此外,如果对话框的重点不是释放,那么用户可能需要重启客户端“修复”,并再次攻击的范围以外的IE。因此,这个项目应该包含在CVE。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0102网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0102最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:确认:http://otn.oracle.com/deploy/security/pdf/webcache2.pdf参考:报价:3760参考:网址:http://online.securityfocus.com/bid/3760参考:报价:3762参考:网址:http://online.securityfocus.com/bid/3762Oracle9iAS 2.0.0 Web缓存。x允许远程攻击者通过(1)引起拒绝服务请求TCP端口1100,4000年,4001年和4002年与大量的空字符,和(2)一个请求与大量的TCP端口4000“。”字符。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0102 3供应商确认:对咨询内容的决定:SF-LOC, SF-EXEC抽象:CD: SF-LOC和CD: SF-EXEC建议合并相同类型的问题在同一个版本,所以空字符和。性格问题相结合。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0103网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0103最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:CF参考:BUGTRAQ: 20020107 (ptl - 2002 - 01)漏洞Oracle9iAS Web缓存引用:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101041510727937&w=2参考:确认:http://otn.oracle.com/deploy/security/pdf/webcache2.pdf参考:报价:3761参考:网址:http://online.securityfocus.com/bid/3761参考:报价:3764参考:网址:http://online.securityfocus.com/bid/3764Oracle9iAS Web缓存2.0.0的安装程序。x与不安全的权限创建可执行文件和配置文件,它允许本地用户获得特权webcached运行(1)或(2)从webcache.xml获得管理员密码。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0103 3供应商确认:对咨询内容的决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0104网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0104最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20020107 Aftpd核心转储脆弱性参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101041333323486&w=2参考:报价:3806参考:网址:http://online.securityfocus.com/cgi-bin/vulns-item.pl?section=info&id=3806参考:XF: aftpd-crash-core-dump(7832)参考:网址:http://www.iss.net/security_center/static/7832.phpAFTPD 5.4.4允许远程攻击者获得敏感信息通过CD(鹿)~(波浪号)命令,导致核心转储。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0104 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0105网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0105最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20020108 CDE bug Unixware 7.1参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101060400802428&w=2参考:报价:3818参考:网址:http://www.securityfocus.com/bid/3818参考:XF: unixware-dtlogin-log-symlink(7864)参考:网址:http://www.iss.net/security_center/static/7864.phpCDE在火山口dtlogin UnixWare 7.1.0,可能还有其他操作系统,允许本地用户获得特权通过一个符号链接攻击/var/dt/Xerrors因为/var/dt是人人可写的。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0105 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0106网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0106最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ:毕马威20020108 - 2002003:Bea Weblogic DOS-device拒绝服务引用:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101050440629269&w=2参考:报价:3816参考:网址:http://www.securityfocus.com/bid/3816参考:XF: weblogic-dos-jsp-dos(7808)参考:网址:http://www.iss.net/security_center/static/7808.phpBEA Weblogic Server 6.1系统允许远程攻击者通过一系列导致拒绝服务请求jsp文件包含一个ms - dos设备名称。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0106 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0108网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0108最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20020108阿莱尔论坛漏洞参考:网址:http://online.securityfocus.com/archive/1/249026参考:报价:3827参考:网址:http://online.securityfocus.com/cgi-bin/vulns-item.pl?section=info&id=3827参考:XF: allaire-forums-message-spoofing(7841)参考:网址:http://www.iss.net/security_center/static/7841.php阿莱尔论坛2.0.4和2.0.5和论坛!3.0和3.1允许远程经过身份验证的用户恶搞消息,其他用户通过修改隐藏表单字段的名称和电子邮件地址。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0108 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0109网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0109最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20020106 Linksys路由器,SNMP问题参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101039288111680&w=2参考:报价:3795参考:网址:http://online.securityfocus.com/cgi-bin/vulns-item.pl?section=info&id=3795参考:报价:3797参考:网址:http://online.securityfocus.com/bid/3797参考:XF: linksys-etherfast-default-snmp(7827)参考:网址:http://www.iss.net/security_center/static/7827.php路由器EtherFast BEFN2PS4、BEFSR41 BEFSR81路由器,可能还有其他产品,允许远程攻击者获得敏感信息并通过SNMP引起拒绝服务查询默认社区字符串“公众”导致路由器改变其配置和发送SNMP陷阱信息系统发起查询。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0109 3供应商确认:未知的内容决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0110网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0110最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20020109 MiraMail 1.04可以给流行帐户访问和细节参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101063476715154&w=2参考:报价:3843参考:网址:http://online.securityfocus.com/cgi-bin/vulns-item.pl?section=info&id=3843参考:XF: miramail-plaintext-auth-info(7855)参考:网址:http://www.iss.net/security_center/static/7855.phpNevrona设计MiraMail 1.04和更早的身份验证信息,比如流行的用户名和密码存储在明文. ini文件中,攻击者可以通过阅读获得权限的密码文件。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0110 3供应商确认:是的领域相符的内容决定:DESIGN-NO-ENCRYPTION确认:3/11/2002查询发送到support@nevrona.com。3/12/2002,tech@nevrona.com回答“最新版本,1.05,现在可以encypts所有敏感数据的配置文件…无论安全风险低,Nevrona设计采取了这严重和改变了1.05版本的软件加密密码信息。”投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0112网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0112最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20020109 Eserv 2.97密码保护文件任意读取访问漏洞参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101062172226812&w=2参考:NTBUGTRAQ: 20020109 Eserv 2.97密码保护文件任意读取访问漏洞参考:网址:http://marc.theaimsgroup.com/?l=ntbugtraq&m=101062823505486&w=2参考:BUGTRAQ: 20020111 Eserv 2.97密码保护文件任意读访问漏洞(解决方案)参考:网址:http://online.securityfocus.com/archive/1/249734参考:报价:3838参考:网址:http://online.securityfocus.com/bid/3838Etype Eserv 2.97允许远程攻击者通过/查看密码保护的文件。/在URL中。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0112 3供应商确认:未知discloser-claimed投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0113网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0113最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20020110连奏的脆弱参考:网址:http://online.securityfocus.com/archive/1/249420参考:报价:3840参考:网址:http://online.securityfocus.com/bid/3840参考:XF: legato-nsrd-log-permissions(7897)参考:网址:http://www.iss.net/security_center/static/7897.php6.1连奏的沟通者将日志文件存储在/ nsr /日志/目录与全局权限,允许本地用户读取敏感信息和可能获得的特权。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0113 3供应商确认:未知的内容决定:SF-LOC抽象:CD: SF-LOC表明创建单独的项目,以不同类型的问题。确认有两个不同的问题:缺乏加密的密码,和疲软的权限。解决一个问题解决不了问题。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0114网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0114最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20020110连奏的脆弱参考:网址:http://online.securityfocus.com/archive/1/249420参考:报价:3842参考:网址:http://online.securityfocus.com/bid/3842参考:XF: legato-nsrd-log-plaintext(7898)参考:网址:http://www.iss.net/security_center/static/7898.php6.1连奏的沟通者在明文存储密码守护进程。日志文件,它允许本地用户获得特权通过阅读从文件的密码。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0114 3供应商确认:未知的内容决定:SF-LOC, DESIGN-NO-ENCRYPTION抽象:CD: SF-LOC表明创建单独的项目,以不同类型的问题。确认有两个不同的问题:缺乏加密的密码,和疲软的权限。解决一个问题解决不了问题。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0116网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0116最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20020110翻筋斗遮阳板交货单参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101069677929208&w=2参考:BUGTRAQ: 20020110 Re:翻筋斗遮阳板交货单参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101070523119956&w=2参考:报价:3847参考:网址:http://online.securityfocus.com/bid/3847参考:XF: palmos-nmap-dos(7865)参考:网址:http://www.iss.net/security_center/static/7865.phpPalm OS 3.5 h和可能的其他版本,用于翻筋斗遮阳板和Xircom产品,允许远程攻击者通过TCP连接扫描引起拒绝服务,例如从nmap。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0116 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0117网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0117最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20020108 CSS漏洞YaBB和UBB允许账户劫持(多个供应商)参考:网址:http://online.securityfocus.com/archive/1/249031参考:报价:3828参考:网址:http://online.securityfocus.com/cgi-bin/vulns-item.pl?section=info&id=3828参考:XF: yabb-encoded-css(7840)参考:网址:http://www.iss.net/security_center/static/7840.php跨站点脚本漏洞在另一个公告板(YaBB) 1黄金SP 1和允许远程攻击者执行任意脚本和早些时候偷饼干通过包含Javascript编码消息在一个IMG标记。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0117 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0118网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0118最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20020108 CSS漏洞YaBB和UBB允许账户劫持(多个供应商)参考:网址:http://online.securityfocus.com/archive/1/249031参考:报价:3829参考:网址:http://online.securityfocus.com/cgi-bin/vulns-item.pl?section=info&id=3829参考:XF: ultimatebb-encoded-css(7838)参考:网址:http://www.iss.net/security_center/static/7838.php跨站点脚本漏洞在Infopop终极公告板(UBB) 6.2.0 Beta发布版1.0允许远程攻击者执行任意脚本和偷饼干通过包含Javascript编码消息在一个IMG标记。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0118 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0119网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0119最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20020111错误在阿尔卡特速度联系家庭宽带调制解调器参考:网址:http://online.securityfocus.com/archive/1/249746参考:报价:3851参考:网址:http://online.securityfocus.com/bid/3851参考:XF: alcatel-speedtouch-nmap-dos(7893)参考:网址:http://www.iss.net/security_center/static/7893.php阿尔卡特速度联系家庭宽带调制解调器允许远程攻击者造成拒绝服务(重启)以不同寻常的数据包通过网络扫描,如nmap和操作系统检测。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0119 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0120网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0120最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20020112 Palm桌面为Mac OS X 4.0 b75 " - 77参考:网址:http://online.securityfocus.com/archive/1/250093参考:报价:3863参考:网址:http://online.securityfocus.com/bid/3863参考:XF: palm-macos-backup-permissions(7937)参考:网址:http://www.iss.net/security_center/static/7937.php苹果Palm桌面4.0 b75 "和4.0 b77创建全局备份文件和文件夹的使用执行同步,这将允许本地用户获取敏感信息。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0120 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0121网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0121最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20020113 PHP 4。x会话欺骗引用:网址:http://online.securityfocus.com/archive/1/250196参考:报价:3873参考:网址:http://online.securityfocus.com/bid/3873参考:php-session-temp-disclosure(7908)参考:网址:http://www.iss.net/security_center/static/7908.phpPHP 4.0通过以下4.4.1会话ID存储在临时文件的名字包含会话ID,它允许本地用户劫持网络连接。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0121 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0122网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0122最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20020114西门子Mobie SMS特殊字符脆弱性参考:网址:http://online.securityfocus.com/archive/1/250115参考:报价:3870参考:网址:http://online.securityfocus.com/bid/3870参考:XF: siemens-invalid-sms-dos(7902)参考:网址:http://www.iss.net/security_center/static/7902.php西门子3568年我WAP手机允许远程攻击者造成拒绝服务(崩溃)通过SMS消息包含不同寻常的人物。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0122 3供应商确认:未知discloser-claimed投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0124网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0124最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20020114 Web服务器4 d /电子商务3.5.3目录遍历脆弱性参考:网址:http://online.securityfocus.com/archive/1/250231参考:报价:3872参考:网址:http://online.securityfocus.com/bid/3872参考:XF: ws4d-dot-directory-traversal(7878)参考:网址:http://www.iss.net/security_center/static/7878.php目标计算机服务的Web服务器4 d /电子商务3.5.3允许远程攻击者利用目录遍历漏洞通过. ./(点点)包含在HTTP请求url编码的斜杠。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0124 3供应商确认:未知的确认:3/11/2002查询发送到support@mdg.com。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0125网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0125最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20020114 Clanlib溢出/超级甲烷兄弟溢出参考:网址:http://online.securityfocus.com/archive/1/250414参考:报价:3877参考:网址:http://online.securityfocus.com/bid/3877参考:XF: clanlib-long-env-bo(7905)参考:网址:http://www.iss.net/security_center/static/7905.php缓冲区溢出ClanLib图书馆0.5可能允许本地用户使用图书馆的在游戏中执行任意代码,如(1)超级甲烷兄弟,(2)星球大战,Kwirk (3), (4) Clankanoid,和其他人,通过长期的家庭环境变量。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0125 3供应商确认:未知的内容决定:SF-CODEBASE投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0126网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0126最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20020115 BlackMoon FTPd缓冲区溢出漏洞参考:网址:http://online.securityfocus.com/archive/1/250543参考:报价:3884参考:网址:http://online.securityfocus.com/bid/3884参考:MISC:http://members.rogers.com/blackmoon2k/pages/万博下载包news_page.html参考:XF: blackmoon-ftpd-static-bo(7895)参考:网址:http://www.iss.net/security_center/static/7895.php缓冲区溢出BlackMoon FTP Server 1.0到1.5允许远程攻击者执行任意代码通过一个长参数(1)用户,(2),或(3)。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0126 3供应商确认:未知的模糊的内容决定:SF-LOC确认:供应商的新闻页面包含一个条目日期为2002年1月15日星期二,用红色突出显示,州“这修复强烈建议如果你是积极地使用万博下载包任何以前版本”。This is the only item in red on the page, and it does line up closely with the release date of the Bugtraq post. However, it is not clear whether the person being credited for the problem is affiliated with the poster, and with the lack of details, it is uncertain whether the vendor is truly acknowledging this issue. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0127 URL:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0127最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20020115脆弱性nmap Netgear rp - 114路由器- DOS参考:网址:http://online.securityfocus.com/archive/1/250405参考:报价:3876参考:网址:http://online.securityfocus.com/cgi-bin/vulns-item.pl?section=info&id=3876Netgear RP114电缆/ DSL Web安全路由器固件3.26,当配置为块流量低于1024端口,允许远程攻击者造成拒绝服务(挂)通过广域网端口的端口扫描。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0127 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0129网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0129最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:VULN-DEV: 20020116我参考:网址:http://marc.theaimsgroup.com/?l=vuln-dev&m=101114350330912&w=2参考:BUGTRAQ: 20020116 Re:我引用:网址:http://online.securityfocus.com/archive/1/250837参考:报价:3895参考:网址:http://online.securityfocus.com/bid/3895参考:XF: efax-d-read-files(7921)参考:网址:http://www.iss.net/security_center/static/7921.php0.9和更早的我,当安装setuid root,允许本地用户读取任意文件通过- d选项,打印文件的内容在一个警告消息。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0129 3供应商确认:未知的内容决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0130网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0130最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20020116 Re:我引用:网址:http://online.securityfocus.com/archive/1/250799参考:VULN-DEV: 20020117 Re:我-开发信息参考:网址:http://marc.theaimsgroup.com/?l=vuln-dev&m=101133782204289&w=2参考:报价:3894参考:网址:http://online.securityfocus.com/bid/3894参考:XF: efax-x-bo(7920)参考:网址:http://www.iss.net/security_center/static/7920.php早些时候在我0.9和缓冲区溢出,当安装setuid root,允许本地用户执行任意代码通过一个长- x的论点。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0130 3供应商确认:未知的内容决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0131网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0131最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:参考:BUGTRAQ: 20020115严重的隐私泄漏在Python中Windows参考:网址:http://marc.theaimsgroup.com/?t=101113015900001&r=1&w=2参考:报价:3893参考:网址:http://online.securityfocus.com/bid/3893参考:XF: activepython-activex-read-files(7910)参考:网址:http://www.iss.net/security_center/static/7910.phpPython ActivePython ActiveX控件,当用于Internet Explorer,并不妨碍一个脚本从阅读文件从客户机的文件系统,它允许远程攻击者读取任意文件包含Python脚本通过恶意网页。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0131 3供应商确认:投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0132网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0132最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20020116 Chinput缓冲区溢出漏洞参考:网址:http://online.securityfocus.com/archive/1/250815参考:报价:3896参考:网址:http://online.securityfocus.com/bid/3896参考:XF: chinput-long-env-bo(7911)参考:网址:http://www.iss.net/security_center/static/7911.php缓冲区溢出Chinput 3.0允许本地用户执行任意代码通过一个长期的家庭环境变量。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0132 3供应商确认:投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0133网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0133最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20020117 Avirt代理缓冲区溢出漏洞参考:网址:http://online.securityfocus.com/archive/1/251055参考:BUGTRAQ: 20020121(重发)Avirt网关Telnet脆弱性(和更多吗?)参考网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101164598828092&w=2参考参考:BUGTRAQ: 20020220 Avirt 4.2问题:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101424723728817&w=2参考:BUGTRAQ: 20020212 4.2 Avirt网关远程缓冲区溢出:概念验证参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101366658112809&w=2参考:报价:3904参考:网址:http://online.securityfocus.com/bid/3904参考:报价:3905参考:网址:http://online.securityfocus.com/bid/3905参考:XF: avirt-http-proxy-bo(7916)参考:网址:http://www.iss.net/security_center/static/7916.php参考:XF: avirt-telnet-proxy-bo(7918)参考:网址:http://www.iss.net/security_center/static/7918.php缓冲区溢出Avirt网关套件4.2允许远程攻击者可能导致拒绝服务和执行任意代码通过(1)头字段HTTP代理,或(2)一个长字符串telnet代理。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0133 3供应商确认:未知的内容决定:SF-EXEC, SF-LOC抽象:CD-SF-EXEC表明合并相同类型的问题出现在不同的可执行文件和版本相同的包。HTTP代理和telnet代理都是在同一个包(网关套件)和版本(4.2),所以它们的总和。CD: SF-LOC建议将不同类型的问题,所以“dos提示符”问题是给定一个单独的标识符的“代理溢出”的问题。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0134网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0134最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20020117 Avirt网关套件远程系统级妥协参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101131669102843&w=2参考参考:BUGTRAQ: 20020220 Avirt 4.2问题:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101424723728817&w=2参考:报价:3901参考:网址:http://online.securityfocus.com/bid/3901参考:XF: avirt-gateway-telnet-access(7915)参考:网址:http://www.iss.net/security_center/static/7915.php在Avirt Telnet代理网关套件4.2不需要身份验证连接到代理系统本身,它允许远程攻击者列表文件内容的代理和执行任意命令通过一个dos命令。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0134 3供应商确认:未知的内容决定:SF-LOC CD: SF-LOC建议将不同类型的问题,所以“dos提示符”问题是给定一个单独的标识符的“代理溢出”的问题。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0135网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0135最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20020118廷巴克图6.0.1中及以上DoS咨询参考:网址:http://online.securityfocus.com/archive/1/251582参考:报价:3918参考:网址:http://online.securityfocus.com/bid/3918参考:XF: timbuktu-multiple-conn-dos(7935)参考:网址:http://www.iss.net/security_center/static/7935.phpNetopia廷巴克图Pro 6.0.1中早些时候,允许远程攻击者造成拒绝服务(崩溃)通过一系列的连接的端口(1417 - 1420)。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0135 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0136网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0136最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20020115 IE DOS形式参考:网址:http://online.securityfocus.com/archive/1/250592参考:报价:3892参考:网址:http://online.securityfocus.com/bid/3892微软Internet Explorer 5.5在Windows 98允许远程网页导致拒绝服务(挂)通过极长等表单字段的值输入和文本区域,可通过Javascript自动填充。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0136 3供应商确认:未知的内容决定:EX-CLIENT-DOS包含:CD: EX-CLIENT-DOS州,如果客户端DoS应用程序可以通过重启来解决,和客户机的范围是有限的,应该排除在CVE的问题。然而,在这种情况下,据报道,DoS操作系统本身可以扩展,包括系统停止。这也似乎在网景公司工作,在某种程度上。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0137网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0137最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20020112 cdrdao不安全的文件句柄引用:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101102759631000&w=2参考:报价:3865参考:网址:http://online.securityfocus.com/bid/3865CDRDAO 1.1.4 1.1.5允许本地用户覆盖任意文件通过一个符号链接攻击$ HOME /。cdrdao配置文件。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0137 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0138网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0138最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20020112 cdrdao不安全的文件句柄引用:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101102759631000&w=2参考:BUGTRAQ: 20020115 Re: cdrdao不安全的文件句柄引用:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101111688819855&w=2CDRDAO 1.1.4 1.1.5允许本地用户通过显示数据命令读取任意文件。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0138 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0140网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0140最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20020120 dnrd 2.10 dos参考:网址:http://online.securityfocus.com/archive/1/251619参考:报价:3928参考:网址:http://online.securityfocus.com/bid/3928域名继电器守护进程(dnrd) 2.10和更早的允许远程恶意域名网站可能导致拒绝服务和执行任意代码通过一个长或畸形的DNS回答,由parse_query处理不当,get_objectname,可能还有其他的功能。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0140 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0141网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0141最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20020120 3漩涡abartity文件覆盖参考:网址:http://online.securityfocus.com/archive/1/251419参考:报价:3911参考:网址:http://online.securityfocus.com/cgi-bin/vulns-item.pl?section=info&id=3911参考:XF: maelstrom-tmp-symlink(7939)参考:网址:http://www.iss.net/security_center/static/7939.php漩涡GPL 3.0.1允许本地用户覆盖任意文件的其他漩涡用户通过一个符号链接攻击/ tmp / f文件。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0141 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0142网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0142最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20020114 Pi3Web网络服务器v2.0缓冲区溢出漏洞参考:网址:http://online.securityfocus.com/archive/1/250126参考:BUGTRAQ: 20020121 Re: Pi3Web网络服务器v2.0缓冲区溢出漏洞参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101164598828093&w=2参考:NTBUGTRAQ: 20020113 Pi3Web网络服务器v2.0缓冲区溢出漏洞参考:网址:http://marc.theaimsgroup.com/?l=ntbugtraq&m=101102275316307&w=2参考:确认:http://sourceforge.net/tracker/index.php?func=detail&aid=505583&group_id=17753&atid=317753参考:报价:3866参考:网址:http://online.securityfocus.com/bid/3866参考:XF: pi3web-long-parameter-bo(7880)参考:网址:http://www.iss.net/security_center/static/7880.phpCGI处理程序在约翰罗伊Pi3Web Windows 2.0 beta 1和2允许远程攻击者造成拒绝服务(崩溃)通过一系列的物理路径的请求就是260个字符长,在一系列的结束。(点)字符。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0142 3供应商确认:是的补丁内容决定:EX-BETA包含:CD: EX-BETA表明应排除在CVE测试版软件问题,除非软件已经达成广泛分布,或者“永久”测试版的软件。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0144网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0144最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20020121安全漏洞在chuid参考:网址:http://online.securityfocus.com/archive/1/251763参考:报价:3937参考:网址:http://online.securityfocus.com/cgi-bin/vulns-item.pl?section=info&id=3937参考:XF: chuid-unauthorized-ownership-change(7976)参考:网址:http://www.iss.net/security_center/static/7976.php目录遍历脆弱性chuid 1.2和更早的允许远程攻击者改变外部的文件上传目录的所有权通过. .(点点)攻击。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0144 3供应商确认:是的内容决定:SF-LOC抽象:CD: SF-LOC表明分离不同类型的问题。Bugtraq海报(也是供应商)指出,有两个错误,第一个是一个…问题,这意味着第二个错误是*不* . .问题。因此,2问题应该分开。(看一下源代码进一步澄清这个区别。)投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0145网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0145最终决定:阶段性裁决:修改:建议:20020315分配:20020315类别:科幻参考:BUGTRAQ: 20020121安全漏洞在chuid参考:网址:http://online.securityfocus.com/archive/1/251763参考:报价:3937参考:网址:http://online.securityfocus.com/cgi-bin/vulns-item.pl?section=info&id=3937chuid 1.2和更早的不正确验证文件的所有权将被改变,它允许远程攻击者修改其他用户的文件,如根。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0145 3供应商确认:是的内容决定:SF-LOC抽象:CD: SF-LOC表明分离不同类型的问题。Bugtraq海报(也是供应商)指出,有两个错误,第一个是一个…问题,这意味着第二个错误是*不* . .问题。因此,2问题应该分开。(看一下源代码进一步澄清这个区别。)投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论: