(提案)集群misc - 2001 - 003 - 36的候选人

我提出集群misc - 2001 - 003,供编辑部评论和投票。名称:Misc - 2001 - 003描述:混杂。候选人宣布与8/3/2001 12/6/2001大小:36通过修改这封邮件你可能投票的候选人投票,将它寄回给我,或通过使用CVE投票网站。中列出的候选人优先秩序。优先级1和优先级2的候选人都应对不同层次的供应商确认,所以他们应该易于检查和可以信任的,是真实的问题。总结的选票使用(“严重程度”的按升序)- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -接受——选民接受候选人提出的等待——选民对候选人没有意见修改选民想要改变一些小细节(例如参考/描述)审查-选民正在审查/研究候选人,或需要更多的信息,重塑候选人必须大幅修改,如分割或合并拒绝候选人不是“漏洞”,或重复等。1)请写你的投票在直线上,从“投票:”开始。如果你想添加评论或细节,在投票后将它们添加到线:线。2)如果你看到任何失踪的引用,请提及他们,使他们可以包括在内。在映射引用帮助极大。3)请注意,“修改”被视为一个“接受”当计算选票。 So if you don't have sufficient information for a candidate but you don't want to NOOP, use a REVIEWING. ********** NOTE ********** NOTE ********** NOTE ********** NOTE ********** Please keep in mind that your vote and comments will be recorded and publicly viewable in the mailing list archives or in other formats. ====================================================== Candidate: CAN-2001-1227 URL:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1227最终决定:阶段性裁决:修改:建议:20020502分配:20020411类别:科幻参考:REDHAT: RHSA-2001:115参考:网址:http://www.redhat.com/support/errata/rhsa - 2001 - 115. - html参考:曼德拉草:MDKSA-2001:080参考:网址:http://www.linux mandrake.com/en/security/2001/mdksa - 2001 - 080. - php3参考:报价:3425参考:网址:http://online.securityfocus.com/bid/3425Zope 2.2.4之前允许部分受信任的用户绕过安全控制对于某些方法的fmt属性访问方法通过dtml-var标签。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1227 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1231网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1231最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ:前轮驱动:20010814安全警报:Groupwise——行动要求参考:网址:http://www.securityfocus.com/archive/1/204672参考:确认:http://support.novell.com/padlock/details.htm参考:XF: novell-groupwise-admin-privileges(6998)参考:网址:http://xforce.iss.net/static/6998.php参考:报价:3189参考:网址:http://www.securityfocus.com/bid/3189GroupWise 5.5和6在现场运行删除或智能缓存模式允许远程攻击者读取任意用户的邮箱从闻网络流量中提取用户名和密码,按“挂锁”解决修复。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1231 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1234网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1234最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20011002半自动源代码审计结果参考:网址:http://www.securityfocus.com/archive/1/218000参考:确认:http://prdownloads.sourceforge.net/gallery/gallery-1.2.5.tar.gz参考:报价:3397参考:网址:http://www.securityfocus.com/bid/3397参考:XF: php-includedir-code-execution(7215)参考:网址:http://www.iss.net/security_center/static/7215.php巴拉特Mediratta画廊PHP脚本之前1.2.1允许远程攻击者执行任意代码,包括文件从远程web网站通过一个HTTP请求修改includedir变量。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1234 1供应商确认:是的补丁确认:升级文件的分布1.2.5表示:“由于安全修复,你现在必须修改索引。php如果您想要使用核武器的照片画廊随机块……您试图包括的文件不批准文件列表。这个文件包括您必须编辑画廊的索引。php和XXX添加到$ safe_to_include数组”。This clearly addresses the problem that was reported. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2001-1252 URL:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1252最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:CF参考:BUGTRAQ: 20010928 SNS-43: PGP Keyserver权限错误配置参考:网址:http://archives.neohapsis.com/archives/bugtraq/2001-09/0230.html参考:确认:http://www.pgp.com/support/product-advisories/keyserver.asp参考:XF: pgp-keyserver-http-dos(7203)参考:网址:http://www.iss.net/security_center/static/7203.php参考:报价:3375参考:网址:http://online.securityfocus.com/bid/3375网络伙伴PGP Keyserver 7.0允许远程攻击者绕过身份验证和访问管理web界面通过直接访问目录的url而不是Keyserver /目录的程序(1)控制台,cs (2), (3) multi_config和(4)目录。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1252 1供应商确认:未知discloser-claimed确认:PGP咨询是由大参考引用。虽然它并没有提供足够的细节,这是解决同样的问题,和咨询没有日期与Bugtraq邮报“排队”,海报被认为结束的时候咨询。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1278网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1278最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:REDHAT: RHSA-2001:115参考:网址:http://www.redhat.com/support/errata/rhsa - 2001 - 115. - html参考:曼德拉草:MDKSA-2001:080参考:网址:http://www.linux mandrake.com/en/security/2001/mdksa - 2001 - 080. - php3参考:报价:3425参考:网址:http://online.securityfocus.com/bid/3425Zope 2.2.4之前允许部分受信任的用户绕过安全控制对于某些方法的fmt属性访问方法通过dtml-var标签。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1278 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1295网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1295最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:确认:http://www.greenepa.net/ ~ averett / cerberus-releasenotes.htm # ReleaseNotes参考:MISC:http://www.securiteam.com/windowsntfocus/5SP0M0055W.html参考:XF: cerberus-ftp-directory-traversal(7004)参考:网址:http://www.iss.net/security_center/static/7004.php目录遍历脆弱性Cerberus 1.5和更早的FTP服务器上允许远程攻击者读取任意文件通过一个. .(点点)CD命令。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1295 1供应商确认:是的、确认:1.6 beta版本发布说明,2001年8月29日说“固定一个重大安全漏洞,允许无限制的访问服务器机器使用时间在改变目录路径。”投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1297网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1297最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20011002半自动源代码审计结果参考:网址:http://www.securityfocus.com/archive/1/218000参考:确认:http://sourceforge.net/project/shownotes.php?release_id=58331参考:报价:3384参考:网址:http://www.securityfocus.com/bid/3384参考:XF: php-includedir-code-execution(7215)参考:网址:http://www.iss.net/security_center/static/7215.php1.1.2之前Actionpoll PHP脚本允许远程攻击者包括任意文件从远程web站点设置includedir变量通过一个HTTP请求。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1297 1供应商确认:是的、确认:改变日志1.1.2说“固定安全漏洞”和引用出价:3384年,即这个项目。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1299网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1299最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20011002半自动源代码审计结果参考:网址:http://www.securityfocus.com/archive/1/218000参考:CERT-VN: VU # 847803参考:网址:http://www.kb.cert.org/vuls/id/847803参考:确认:http://www.come.to/zorbat/参考:确认:http://www.kb.cert.org/vuls/id/JARL-53RJKV参考:报价:3386参考:网址:http://www.securityfocus.com/bid/3386参考:XF: php-includedir-code-execution(7215)参考:网址:http://www.iss.net/security_center/static/7215.phpZorbat Zorbstats PHP脚本之前0.9允许远程攻击者包括任意文件从远程web站点设置includedir变量通过一个HTTP请求。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1299 1供应商确认:是的、确认:供应商的主页,公告Zorbstats 0.9, 10月21日,2001年,说“安全问题纠正。”Normally this is insufficient to be certain that the vendor is acknowledging *this* problem, but the vendor is also said to have fixed the issue in a CERT vuilnerability note. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2001-1228 URL:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1228最终决定:阶段性裁决:修改:建议:20020502分配:20020411类别:科幻参考:VULN-DEV: 20011118新bug发现!参考:VULN-DEV: 20011120新bug,老臭虫参考:VULN-DEV: 20011119杀死线程(新bug发现!)参考:BUGTRAQ: 20011230 gzip bug w /补丁. .参考网址:http://online.securityfocus.com/archive/1/247717参考:曼德拉草:MDKSA-2002:011参考:DEBIAN: dsa - 100参考:SGI: 20020401 - 01 - p参考:报价:3712参考:网址:http://online.securityfocus.com/bid/3712缓冲区溢出gzip 1.3 x, 4,其他版本可能允许攻击者通过长文件名,执行代码可能如果gzip远程FTP服务器上运行。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1228 3供应商确认:对咨询内容的决定:包含投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1232网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1232最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20010815 Groupwise Webaccess, NetWare的web服务器,和Novell参考:网址:http://www.securityfocus.com/archive/1/204875参考:XF: netware-get-directory-listing(6988)参考:网址:http://xforce.iss.net/static/6988.php参考:报价:3188参考:网址:http://www.securityfocus.com/bid/3188GroupWise WebAccess 5.5启用了目录索引允许远程攻击者通过一个HTTP请求查看任意目录内容小写的“获得”。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1232 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1233网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1233最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:CF参考:BUGTRAQ: 20010815 Groupwise Webaccess, NetWare的web服务器,和Novell参考:网址:http://www.securityfocus.com/archive/1/204875参考:XF: netware-nds-information-leak(6987)参考:网址:http://xforce.iss.net/static/6987.php网络企业Web Server 5.1运行GroupWise WebAccess 5.5启用了Novell目录服务(NDS)允许远程攻击者列举用户名、组名称和其他系统通过访问ndsobj.nlm信息。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1233 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1253网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1253最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20010927两个问题与亚历克西斯/ InternetPBX COM2001参考:网址:http://online.securityfocus.com/archive/1/217200参考:XF: alexis-http-plaintext-information(7205)参考:网址:http://www.iss.net/security_center/static/7205.php亚历克西斯2.0和2.1在COM2001 InternetPBX COM2001语音信箱的密码存储在纯文本。ini文件,它允许本地用户可以长途电话和其他用户。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1253 3供应商确认:未知的内容决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1254网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1254最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20010927两个问题与亚历克西斯/ InternetPBX COM2001参考:网址:http://online.securityfocus.com/archive/1/217200参考:报价:3373参考:网址:http://online.securityfocus.com/bid/3373Web Access组件COM2001亚历克西斯2.0和2.1在InternetPBX发送用户名和语音信箱的密码在明确通过Java applet将信息发送给服务器的8888端口,这可能允许远程攻击者窃取密码通过嗅探。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1254 3供应商确认:未知discloser-claimed内容决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1255网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1255最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20011002 WinMySQLadmin MySQL 1.1存储密码以明文参考:网址:http://online.securityfocus.com/archive/1/217848参考:报价:3381参考:网址:http://online.securityfocus.com/bid/3381参考:XF: winmysqladmin-password-plaintext(7206)参考:网址:http://www.iss.net/security_center/static/7206.phpWinMySQLadmin 1.1将MySQL的密码存储在我的纯文本。ini文件,它允许本地用户获得unathorized访问MySQL数据库。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1255 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1259网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1259最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20010807多个漏洞亚美亚银色办公室参考:网址:http://online.securityfocus.com/archive/1/202344参考:XF: argent-office-udp-dos(6953)参考:网址:http://www.iss.net/security_center/static/6953.php亚美亚银色办公室允许远程攻击者造成拒绝服务通过发送UDP数据包53端口没有有效载荷。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1259 3供应商确认:未知的内容决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1260网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1260最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20010807多个漏洞亚美亚银色办公室参考:网址:http://online.securityfocus.com/archive/1/202344参考:XF: argent-office-weak-encryption(6954)参考:网址:http://www.iss.net/security_center/static/6954.php亚美亚银色办公室使用弱密码加密(简单编码),它允许远程攻击者获得管理员权限通过嗅探和解密嗅密码在系统重新启动。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1260 3供应商确认:未知的内容决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1261网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1261最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20010807多个漏洞亚美亚银色办公室参考:网址:http://online.securityfocus.com/archive/1/202344参考:XF: argent-office-change-music(6956)参考:网址:http://www.iss.net/security_center/static/6956.php亚美亚银色办公室2.1可能允许远程攻击者改变音乐通过欺骗合法服务器响应TFTP广播和提供一个替代HoldMusic文件。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1261 3供应商确认:未知的内容决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1262网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1262最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20010807多个漏洞亚美亚银色办公室参考:网址:http://online.securityfocus.com/archive/1/202344参考:XF: argent-office-community-string(6955)参考:网址:http://www.iss.net/security_center/static/6955.php亚美亚银色办公室2.1比较一个用户提供的SNMP社区字符串使用正确的字符串只有用户提供的字符串的长度,它允许远程攻击者绕过身份验证与社区字符串长度为0的情况。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1262 3供应商确认:未知的内容决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1272网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1272最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:DEBIAN: dsa - 092参考:网址:http://www.debian.org/security/2001/dsa - 092参考:XF: wmtv-execute-commands(7669)参考:网址:http://www.iss.net/security_center/static/7669.php参考:报价:3658参考:网址:http://www.securityfocus.com/bid/3658wmtv 0.6.5早些时候不适当放弃特权,它允许本地用户执行任意命令通过- e(外部命令)选项。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1272 3供应商确认:对咨询内容的决定:SF-LOC抽象:CD: SF-LOC表明区分不同类型的问题。因此,缓冲区溢出和符号链接问题wmtv分离。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1280网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1280最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20011011漏洞Ipswitch IMail Server 7.04参考:网址:http://archives.neohapsis.com/archives/bugtraq/2001-10/0076.html参考:MISC:http://www.ipswitch.com/Support/IMail/万博下载包news.html参考:报价:3424参考:网址:http://online.securityfocus.com/bid/34247.04和更早的POP3服务器Ipswitch IMail产生不同的响应以有效和无效的用户名,它允许远程攻击者来确定系统上的用户。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1280 3供应商确认:未知的模糊的内容决定:SF-LOC确认:供应商的新闻页面包含一个条目“IMail服务器7.04热修复补丁1”10月10日,2001年,符合宣布IMail 7.万博下载包04漏洞。然而,供应商的描述的漏洞不清楚供应商固定这些* *的漏洞;公告是太模糊,无法确定。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1281网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1281最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20011011漏洞Ipswitch IMail Server 7.04参考:网址:http://archives.neohapsis.com/archives/bugtraq/2001-10/0076.html参考:MISC:http://www.ipswitch.com/Support/IMail/万博下载包news.html参考:报价:3429参考:网址:http://online.securityfocus.com/bid/34297.04和更早的Web消息传递服务器Ipswitch IMail允许远程经过身份验证的用户更改为其他用户通过修改olduser参数信息的Web表单的“更改用户信息”。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1281 3供应商确认:未知的模糊的内容决定:SF-LOC确认:供应商的新闻页面包含一个条目“IMail服务器7.04热修复补丁1”10月10日,2001年,符合宣布IMail 7.万博下载包04漏洞。然而,供应商的描述的漏洞不清楚供应商固定这些* *的漏洞;公告是太模糊,无法确定。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1282网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1282最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20011011 Ipswitch Imail 7.04漏洞参考:网址:http://archives.neohapsis.com/archives/bugtraq/2001-10/0082.html参考:MISC:http://www.ipswitch.com/Support/IMail/万博下载包news.html参考:报价:3426参考:网址:http://online.securityfocus.com/bid/3426Ipswitch IMail 7.04和更早的记录在电子邮件中附件的物理路径消息头,这可能允许远程攻击者获得敏感的配置信息。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1282 3供应商确认:未知的模糊的内容决定:SF-LOC确认:供应商的新闻页面包含一个条目“IMail服务器7.04热修复补丁1”10月10日,2001年,符合宣布IMail 7.万博下载包04漏洞。然而,供应商的描述的漏洞不清楚供应商固定这些* *的漏洞;公告是太模糊,无法确定。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1283网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1283最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20011011 Ipswitch Imail 7.04漏洞参考:网址:http://archives.neohapsis.com/archives/bugtraq/2001-10/0082.html参考:MISC:http://www.ipswitch.com/Support/IMail/万博下载包news.html参考:报价:3427参考:网址:http://online.securityfocus.com/bid/3427之前的邮箱界面Ipswitch IMail 7.04和允许远程身份验证的用户造成拒绝服务(崩溃)通过一个包含大量的邮箱名称。(点)或其他字符(1)readmail等项目。cgi或(2)printmail。cgi,可能由于缓冲区溢出可能允许执行任意代码。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1283 3供应商确认:未知的模糊的内容决定:SF-LOC确认:供应商的新闻页面包含一个条目“IMail服务器7.04热修复补丁1”10月10日,2001年,符合宣布IMail 7.万博下载包04漏洞。然而,供应商的描述的漏洞不清楚供应商固定这些* *的漏洞;公告是太模糊,无法确定。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1284网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1284最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20011011 Ipswitch Imail 7.04漏洞参考:网址:http://archives.neohapsis.com/archives/bugtraq/2001-10/0082.html参考:MISC:http://www.ipswitch.com/Support/IMail/万博下载包news.html参考:报价:3428参考:网址:http://online.securityfocus.com/bid/3428Ipswitch IMail 7.04和更早的使用可预测的会话id进行身份验证,它允许远程攻击者劫持会话的其他用户。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1284 3供应商确认:未知的模糊的内容决定:SF-LOC确认:供应商的新闻页面包含一个条目“IMail服务器7.04热修复补丁1”10月10日,2001年,符合宣布IMail 7.万博下载包04漏洞。然而,供应商的描述的漏洞不清楚供应商固定这些* *的漏洞;公告是太模糊,无法确定。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1285网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1285最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20011011 Ipswitch Imail 7.04漏洞参考:网址:http://archives.neohapsis.com/archives/bugtraq/2001-10/0082.html参考:MISC:http://www.ipswitch.com/Support/IMail/万博下载包news.html参考:报价:3432参考:网址:http://online.securityfocus.com/bid/3432目录遍历readmail脆弱性。cgi为Ipswitch IMail 7.04和更早的允许远程攻击者访问其他用户的邮箱通过. .(点点)mbx参数。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1285 3供应商确认:未知的模糊的内容决定:SF-LOC确认:供应商的新闻页面包含一个条目“IMail服务器7.04热修复补丁1”10月10日,2001年,符合宣布IMail 7.万博下载包04漏洞。然而,供应商的描述的漏洞不清楚供应商固定这些* *的漏洞;公告是太模糊,无法确定。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1286网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1286最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20011011 Ipswitch Imail 7.04漏洞参考:网址:http://archives.neohapsis.com/archives/bugtraq/2001-10/0082.html参考:BUGTRAQ: 20020310 IMail账户劫持通过Web接口参考:网址:http://online.securityfocus.com/archive/1/261096参考:MISC:http://www.ipswitch.com/Support/IMail/万博下载包news.html参考:报价:3432参考:网址:http://online.securityfocus.com/bid/3432Ipswitch IMail 7.04和更早的将用户的会话ID存储在一个URL,这可能允许远程攻击者获取URL劫持会话,例如通过一个HTML电子邮件,导致上线发送到URL攻击者的控制。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1286 3供应商确认:未知的模糊的内容决定:SF-LOC确认:供应商的新闻页面包含一个条目“IMail服务器7.04热修复补丁1”10月10日,2001年,符合宣布IMail 7.万博下载包04漏洞。然而,供应商的描述的漏洞不清楚供应商固定这些* *的漏洞;公告是太模糊,无法确定。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1287网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1287最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20011012 def - 2001 - 29参考:网址:http://archives.neohapsis.com/archives/bugtraq/2001-10/0083.html参考:MISC:http://www.ipswitch.com/Support/IMail/万博下载包news.html参考:报价:3431参考:网址:http://online.securityfocus.com/bid/3431缓冲区溢出在网络日历Ipswitch IMail 7.04和更早的允许远程攻击者执行任意代码通过一个HTTP GET请求。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1287 3供应商确认:未知的模糊的内容决定:SF-LOC确认:供应商的新闻页面包含一个条目“IMail服务器7.04热修复补丁1”10月10日,2001年,符合宣布IMail 7.万博下载包04漏洞。然而,供应商的描述的漏洞不清楚供应商固定这些* *的漏洞;公告是太模糊,无法确定。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1292网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1292最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20010813水鹿Telnet代理/服务器多个vulnerablietis参考:网址:http://archives.neohapsis.com/archives/bugtraq/2001-08/0160.html参考:XF: sambar-telnet-bo(6973)参考:网址:http://www.iss.net/security_center/static/6973.php水鹿Telnet代理/服务器允许远程攻击者可能导致拒绝服务和执行任意代码通过一个长密码。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1292 3供应商确认:投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1293网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1293最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20010926 3 com (r) HomeConnect (r)电缆调制解调器拒绝服务引用:网址:http://archives.neohapsis.com/archives/bugtraq/2001-09/0217.html参考:CERT-VN: VU # 500027参考:网址:http://www.kb.cert.org/vuls/id/500027参考:报价:3366参考:网址:http://online.securityfocus.com/bid/3366缓冲区溢出的web服务器3 com HomeConnect电缆调制解调器与USB外部(# 3 cr29223)允许远程攻击者造成拒绝服务(崩溃)通过一个HTTP请求。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1293 3供应商确认:内容决定:SF-CODEBASE抽象:cve - 2001 - 0740描述了一个类似的问题,但在OfficeConnect;此外,利用OfficeConnect可能是一个格式字符串漏洞和不溢出。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1294网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1294最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:NTBUGTRAQ: 20000117远程缓冲区利用- InetServ 3.0参考:网址:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0001&L=ntbugtraq&F=P&S=&P=4592参考:BUGTRAQ: 20010822 AVTronics InetServer DoS和转炉漏洞参考:报价:3224参考:网址:http://online.securityfocus.com/bid/3224参考:XF: inetserv-webmail-bo(7022)参考:网址:http://www.iss.net/security_center/static/7022.php缓冲区溢出在动的定速Inetserv 3.2.1早些时候,允许远程攻击者造成拒绝服务(崩溃)的邮箱界面通过用户名和密码。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1294 3供应商确认:内容决定:SF-LOC,重新发现抽象:类似的漏洞在长请求cve - 2000 - 0065的邮箱界面,反复Bugtraq发布的这个问题。CD: SF-LOC表明结合影响相同版本的相同类型的问题,但没有足够的信息来知道“长请求”的问题是否会影响相同的版本。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1296网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1296最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20011002半自动源代码审计结果参考:网址:http://www.securityfocus.com/archive/1/218000参考:MISC:http://www.moregroupware.org/index.php?action=detail&万博下载包news_id=24参考:XF: php-includedir-code-execution(7215)参考:网址:http://www.iss.net/security_center/static/7215.php参考:报价:3383参考:网址:http://www.securityfocus.com/bid/3383更多。群件PHP脚本允许远程攻击者包括任意文件从远程web站点设置includedir变量通过一个HTTP请求。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1296 3供应商确认:未知的模糊的承认:发布说明时间2001年10月31日说,新版本包括“一些巧妙的安全补丁,但目前尚不清楚供应商是修复这个* *的问题。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1298网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1298最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20011002半自动源代码审计结果参考:网址:http://www.securityfocus.com/archive/1/218000参考:报价:3385参考:网址:http://www.securityfocus.com/bid/3385参考:XF: php-includedir-code-execution(7215)参考:网址:http://www.iss.net/security_center/static/7215.php1.0和更早的Webodex PHP脚本允许远程攻击者包括任意文件从远程web站点设置includedir变量通过一个HTTP请求。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1298 3供应商确认:投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1300网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1300最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:MISC:http://www.securiteam.com/windowsntfocus/5KP0N0A55M.html参考:XF: dynuftp-dot-directory-traversal(7045)参考:网址:http://www.iss.net/security_center/static/7045.php目录遍历脆弱性Dynu 1.05和更早的FTP服务器上允许远程攻击者读取任意文件通过一个. .在CD(鹿)命令。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1300 3供应商确认:投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1301网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1301最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20010807 rcs2log参考:网址:http://archives.neohapsis.com/archives/bugtraq/2001-08/0093.html20.4中使用Emacs, rcs2log xemacs 21.1.10,可能还有其他包,允许本地用户修改其他用户的文件通过一个符号链接攻击一个临时文件。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1301 3供应商确认:未知discloser-claimed投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1304网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1304最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20010803拒绝服务SHOUTcast服务器1.8.2 Linux / w32 / ?参考网址:http://archives.neohapsis.com/archives/bugtraq/2001-08/0048.html参考:XF: shoutcast-http-field-bo(6938)参考:网址:http://www.iss.net/security_center/static/6938.php缓冲区溢出在SHOUTcast服务器1.8.2允许远程攻击者造成拒绝服务(崩溃)通过多个HTTP请求长(1)用户代理或(2)主机HTTP头。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1304 3供应商确认:内容决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2001 - 1305网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2001 - 1305最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20010822 Hexyn / Securax咨询# 22 - ICQ强制自动添加用户参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=99851887024728&w=2参考:报价:3226参考:网址:http://online.securityfocus.com/bid/3226参考:XF: icq-auto-add-user(7028)参考:网址:http://www.iss.net/security_center/static/7028.phpICQα和同期的2001年允许远程攻击者自动添加任意印尼ICQ用户的联系人列表通过URL网页内容类型的应用程序/ x-icq,加工的Internet Explorer。分析- - - - - - - - - - - - - - - - - ED_PRI - 2001 - 1305 3供应商确认:投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论: