(提案)集群最近- 87 - 58候选人

我最近提出集群——87年由编辑委员会审查和投票。名称:最近- 87描述:候选人宣布2/19/2002与2/28/2002大小:58通过修改这封邮件你可能投票的候选人投票,将它寄回给我,或通过使用CVE投票网站。中列出的候选人优先秩序。优先级1和优先级2的候选人都应对不同层次的供应商确认,所以他们应该易于检查和可以信任的,是真实的问题。如果你发现任何RECENT-XX集群是不完整的对过程中发现的问题相关的时间框架,请发送信息给我,这样候选人可以被指定。——史蒂夫总结的选票使用(“严重程度”的按升序)- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -接受——选民接受候选人提出等待——选民对候选人没有意见修改选民想要改变一些小细节(例如参考/描述)审查-选民正在审查/研究候选人,或需要更多的信息,重塑候选人必须大幅修改,如分割或合并拒绝候选人不是“漏洞”,或重复等。1)请写你的投票在直线上,从“投票:”开始。如果你想添加评论或细节,在投票后将它们添加到线:线。2)如果你看到任何失踪的引用,请提及他们,使他们可以包括在内。在映射引用帮助极大。3)请注意,“修改”被视为一个“接受”当计算选票。 So if you don't have sufficient information for a candidate but you don't want to NOOP, use a REVIEWING. ********** NOTE ********** NOTE ********** NOTE ********** NOTE ********** Please keep in mind that your vote and comments will be recorded and publicly viewable in the mailing list archives or in other formats. ====================================================== Candidate: CAN-2002-0300 URL:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0300最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20020219 gnujsp: dir -和script-disclosure参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101415804625292&w=2参考:BUGTRAQ: 20020220 Re: gnujsp: dir -和script-disclosure参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101422432123898&w=2参考:DEBIAN: dsa - 114参考:网址:http://www.debian.org/security/2002/dsa - 114参考:报价:4125参考:网址:http://online.securityfocus.com/bid/4125gnujsp 1.0.0和1.0.1允许远程攻击者列出目录,阅读某些脚本的源代码,并绕过访问限制通过直接从gnujsp servlet请求目标文件,不解决JServ限制,不处理请求的文件。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0300 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0302网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0302最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20020220赛门铁克企业防火墙(海基会)通知守护进程通过SN MP参考数据丢失:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101424225814604&w=2参考:确认:http://securityresponse.symantec.com/avcenter/security/Content/2002.02.20a.html参考:报价:4139参考:网址:http://online.securityfocus.com/bid/4139通知守护进程为赛门铁克企业防火墙(海基会)6.5。x滴大警报SNMP用作运输时,可以防止一些警报发送事件的攻击。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0302 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0329网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0329最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20020227 RE:打开公告板javascript错误。参考网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101485184605149&w=2参考:BUGTRAQ: 20020227 Snitz 2000代码补丁(RE:开放公告板javascript错误。)参考网址:http://online.securityfocus.com/archive/1/258981参考:确认:http://forum.snitz.com/forum/link.asp?TOPIC_ID=23660参考:报价:4192参考:网址:http://online.securityfocus.com/bid/4192参考:报价:4192参考:网址:http://www.securityfocus.com/bid/4192参考:XF: snitz-img-css(8309)参考:网址:http://www.iss.net/security_center/static/8309.php早些时候在Snitz论坛2000 3.3.03和跨站点脚本漏洞允许远程攻击者执行任意脚本和其他论坛2000用户通过Javascript在IMG标记。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0329 1供应商确认:是的投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0330网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0330最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20020225开放公告板javascript错误。参考网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101466092601554&w=2参考:确认:http://community.iansoft.net/read.php?TID=5159参考:报价:4171参考:网址:http://online.securityfocus.com/bid/4171参考:XF: openbb-img-css(8278)参考:网址:http://www.iss.net/security_center/static/8278.php在codeparse跨站脚本漏洞。php开放公告板(OpenBB) 1.0.0允许远程攻击者通过Javascript执行任意脚本和偷饼干在IMG标记。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0330 1供应商确认:是的投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0339网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0339最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:思科:20020227思科安全顾问:数据泄漏与思科表达转发参考:网址:http://www.cisco.com/warp/public/707/IOS-CEF-pub.shtml参考:XF: ios-cef-information-leak(8296)参考:网址:http://www.iss.net/security_center/static/8296.php参考:报价:4191参考:网址:http://www.securityfocus.com/bid/4191思科IOS 11.1 cc通过12.2与思科表达之前的数据包转发(CEF)启用包括部分填充的MAC层包当MAC包的长度小于IP包长度。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0339 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0292网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0292最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20020219 [SA-2002:01] Slashcode登录脆弱性参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101414005501708&w=2参考:报价:4116参考:网址:http://online.securityfocus.com/bid/41162.2.5跨站点脚本漏洞在削减),用于Slashcode和其他地方,允许远程攻击者窃取cookie和身份验证信息从一个URL,其他用户通过Javascript可能formkey领域。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0292 2供应商确认:是的投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0299网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0299最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20020220 CNet酱任意代码执行参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101438631921749&w=2参考:报价:3975参考:网址:http://online.securityfocus.com/bid/3975CNet酱之前1.3.1允许攻击者通过.RVP执行任意代码文件,创建一个文件,一个任意扩展(例如。bat),这期间执行扫描。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0299 2供应商确认:是的投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0309网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0309最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20020221赛门铁克企业防火墙(海基会)SMTP代理矛盾参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101430810813853&w=2参考:BUGTRAQ: 20020220赛门铁克企业防火墙(海基会)SMTP代理矛盾参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101424307617060&w=2参考:报价:4141参考:网址:http://online.securityfocus.com/bid/4141SMTP代理在赛门铁克企业防火墙(海基会)6.5。x包括防火墙的物理接口名称和地址在一个SMTP协议交换当NAT翻译地址以外的防火墙,这可能允许远程攻击者来确定某些防火墙配置信息。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0309 2供应商确认:是的跟踪投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0318网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0318最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20020221 DoS攻击许多半径服务器参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101440113410083&w=2FreeRADIUS RADIUS服务器允许远程攻击者造成拒绝服务(CPU消耗)通过大量的访问请求包。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0318 2供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0293网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0293最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:CF参考:BUGTRAQ: 20020219安全BugWare: 4400年阿尔卡特交换机黑客参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101413767925869&w=24400年阿尔卡特OmniPCX FTP服务允许“停止”用户获得根权限通过修改根的. profile文件中。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0293 3供应商确认:投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0294网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0294最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:CF参考:BUGTRAQ: 20020219安全BugWare: 4400年阿尔卡特交换机黑客参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101413767925869&w=2参考:报价:4130参考:网址:http://online.securityfocus.com/bid/4130阿尔卡特4400安装/ chetc /关闭命令和setgid特权,它允许很多不同的本地用户关闭系统。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0294 3供应商确认:投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0295网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0295最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:CF参考:BUGTRAQ: 20020219安全BugWare: 4400年阿尔卡特交换机黑客参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101413767925869&w=2参考:报价:4133参考:网址:http://online.securityfocus.com/bid/4133阿尔卡特OmniPCX 4400安装文件,人人可写的权限,它允许本地用户配置系统和可能获得的特权。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0295 3供应商确认:内容决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0296网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0296最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20020219另一个地方的根本弱点在安装期间其舞曲企业3。参考网址:http://archives.neohapsis.com/archives/bugtraq/2002-02/0187.html参考:BUGTRAQ: 20020224利用其舞曲企业安装(4115年收购)参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101467193803592&w=2参考:报价:4115参考:网址:http://www.securityfocus.com/bid/4115其舞曲的安装企业3允许本地用户覆盖任意文件通过一个符号链接攻击“旋转”临时文件。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0296 3供应商确认:未知discloser-claimed投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0297网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0297最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20020219 ScriptEase MiniWeb服务器DoS脆弱性参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101415883727615&w=2参考:报价:4128参考:网址:http://online.securityfocus.com/bid/4128缓冲区溢出在ScriptEase MiniWeb Server 0.95允许远程攻击者可能导致拒绝服务(崩溃)和执行任意代码通过一个长URL的HTTP请求。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0297 3供应商确认:投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0298网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0298最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20020219四个ScriptEase MiniWeb服务器v0.95 DoS攻击参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101424439220931&w=2参考:报价:4145参考:网址:http://online.securityfocus.com/bid/4145ScriptEase MiniWeb服务器0.95允许远程攻击者造成拒绝服务(崩溃)通过特定的HTTP GET请求包含(1)% 2 e % 2 e(编码圆点),(2)数/ . ./(点点)序列,(3)失踪的URI,或(4)几个. ./ URI不首先/(削减)字符。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0298 3供应商确认:内容决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0301网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0301最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20020220 Re: Citrix NFuse 1.6 -额外的网络曝光参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101424947801895&w=2参考:报价:4142参考:网址:http://online.securityfocus.com/bid/4142Citrix NFuse 1.6允许远程攻击者绕过身份验证和获取敏感信息通过直接调用。asp和无效NFUSE_USER NFUSE_PASSWORD参数。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0301 3供应商确认:投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0303网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0303最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20020220安全问题在邮局GroupWise 6和LDAP身份验证参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101425369510983&w=2参考:报价:4154参考:网址:http://online.securityfocus.com/bid/4154GroupWise 6,当使用LDAP身份验证,当邮局有一个空白的用户名和密码,允许攻击者获得特权的其他用户登录密码。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0303 3供应商确认:未知discloser-claimed投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0304网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0304最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20020220 SecurityOffice安全顾问:/ / LilHTTP Web服务器文件访问保护脆弱参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101432338000591&w=2参考:BUGTRAQ: 20020320 LilHTTP Web服务器文件访问保护漏洞(解决方案)参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101665069500433&w=2参考:MISC:http://www.summitcn.com/lilhttp/lildocs.html WhatsNew李尔HTTP服务器2.1允许远程攻击者通过/读取密码保护的文件。/ HTTP请求。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0304 3供应商确认:未知discloser-claimed确认:供应商的“新”页面包含一个条目2.2版本,即“固定一些已知的与该服务器的安全问题。”It is not clear whether the vendor fixed THIS issue. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0305 URL:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0305最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20020221 0一个科技(ZOT) p100 PrintServer和SNMP参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101432416503293&w=20一个科技(ZOT) p100打印服务器不正常禁用SNMP服务或更改默认密码,这可能让服务器攻击没有管理员的知识。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0305 3供应商确认:投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0306网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0306最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20020221“Cthulhu xhAze”——命令执行Ans.pl参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101430868616112&w=2参考:报价:4149参考:网址:http://online.securityfocus.com/bid/4149ans.pl复仇者的消息系统(ANS) 万博下载包2.11和更早的允许远程攻击者通过执行任意命令shell元字符的p(插件)参数。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0306 3供应商确认:内容决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0307网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0307最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20020221“Cthulhu xhAze”——命令执行Ans.pl参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101430868616112&w=2参考:报价:4147参考:网址:http://online.securityfocus.com/bid/4147目录遍历脆弱性在ans.pl复仇者的新闻系统(ANS) 2.11和更早的允许远程攻击者确定任意文件的存在或执行任何万博下载包Perl程序系统上通过一个. .(点点)p参数,读取目标文件并试图执行线使用Perl是eval函数。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0307 3供应商确认:内容决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0308网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0308最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20020221 AdMentor参考登录缺陷:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101430885516675&w=2参考:报价:4152参考:网址:http://online.securityfocus.com/bid/4152管理。asp在AdMentor 2.11允许远程攻击者绕过身份验证并获得特权通过SQL注入攻击的登录名和密码参数。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0308 3供应商确认:投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0310网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0310最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20020221 Netwin新闻引擎1.1 k参考:网址:万博下载包http://marc.theaimsgroup.com/?l=bugtraq&m=101432236729631&w=2参考:报价:4156参考:网址:http://online.securityfocus.com/bid/4156Netwin新闻引擎万博下载包1.1 k CGI程序包括几个默认的用户名和明文密码,管理员不能删除的,它允许远程攻击者获得特权通过用户名/密码组合(1)testweb / newstest, (2) alwn3845 / imaptest, (3) alwi3845 / wtest3452,或(4)testweb2 / wtest4879。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0310 3供应商确认:内容决定:CF-DEFAULT, CF-PASS投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0311网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0311最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20020120安装7.1.1 Unixware scoadminreg。cgi当地利用参考:网址:http://online.securityfocus.com/archive/1/251747参考:火山口:综援- 2002上海合作组织。6参考:网址:ftp://stage.caldera.com/pub/security/openunix/cssa - 2002 sco.6/cssa - 2002 sco.6.txt参考:报价:3936参考:网址:http://online.securityfocus.com/bid/3936参考:XF: unixware-webtop-execute-commands(7977)参考:网址:http://www.iss.net/security_center/static/7977.php脆弱的网络桌面安装7.1.1 UnixWare和开放的UNIX 8.0.0允许本地和远程攻击者获得根权限通过shell元字符scoadminreg - c(1)的理由。cgi或(2)service_action.cgi。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0311 3供应商确认:是的补丁内容决定:SF-EXEC,模糊的抽象:虽然火山口咨询是模糊的,问题的严重程度,受影响的项目,咨询的时机给一些暗示咨询可能解决同样的问题,一个月之前被报道。通过查看源代码包含在特定的补丁(erg711951b.Z),一个可以看到“经理”美元变量——显然被操纵的变量的发布利用——现在正在清洗shell元字符。鉴于这个补丁,再加上破火山口的事实没有争议海报的最初声称,终于有足够的证据表明,火山口咨询地址中给出的问题最初Bugtraq职位。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0312网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0312最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20020226 SecurityOffice安全顾问:/ / Essentia Web服务器漏洞(供应商补丁)参考:网址:http://online.securityfocus.com/archive/1/258365参考:NTBUGTRAQ: 20020222 SecurityOffice安全顾问:/ / Essentia Web服务器漏洞(供应商补丁)参考:网址:http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind0202&L=ntbugtraq&F=P&S=&P=10201参考:BUGTRAQ: 20020221 SecurityOffice安全顾问:/ / Essentia Web服务器目录遍历脆弱性参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101439734827908&w=2参考:XF: essentia-server-directory-traversal(8248)参考:网址:http://www.iss.net/security_center/static/8248.php参考:报价:4160参考:网址:http://www.securityfocus.com/bid/4160目录遍历脆弱性Essentia Web Server 2.1允许远程攻击者读取任意文件通过一个. .在一个URL(点点)。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0312 3供应商确认:是的后续内容决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0313网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0313最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20020226 SecurityOffice安全顾问:/ / Essentia Web服务器漏洞(供应商补丁)参考:网址:http://online.securityfocus.com/archive/1/258365参考:BUGTRAQ: 20020221 SecurityOffice安全顾问:/ / DoS Essentia Web服务器漏洞参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101440530023617&w=2参考:XF: essentia-server-long-request-dos(8249)参考:网址:http://www.iss.net/security_center/static/8249.php参考:报价:4159参考:网址:http://www.securityfocus.com/bid/4159缓冲区溢出在Essentia Web Server 2.1允许远程攻击者引起拒绝服务,并可能执行任意代码,通过一个长URL。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0313 3供应商确认:是的后续内容决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0314网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0314最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20020222睡眠,Kazaa和格罗斯特远程DoS。身份伪造的脆弱性。参考网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101441689224760&w=2参考:报价:4122参考:网址:http://www.securityfocus.com/bid/4122参考:XF: fasttrack-message-service-dos(8273)参考:网址:http://www.iss.net/security_center/static/8273.phpfasttrack p2p,用于(1)KaZaA 1.5之前,(2)格罗斯特,和(3)睡眠允许远程攻击者造成拒绝服务(内存耗尽)通过一系列client-to-client消息,每个消息弹出新窗口。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0314 3供应商确认:未知discloser-claimed内容决定:EX-CLIENT-DOS投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0315网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0315最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20020222睡眠,Kazaa和格罗斯特远程DoS。身份伪造的脆弱性。参考网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101441689224760&w=2参考:XF: fasttrack-message-service-spoof(8272)参考:网址:http://www.iss.net/security_center/static/8272.php参考:报价:4121参考:网址:http://www.securityfocus.com/bid/4121fasttrack p2p,用于(1)KaZaA,(2)格罗斯特,(3)睡眠允许远程攻击者欺骗其他用户通过修改用户名和网络消息头中的信息。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0315 3供应商确认:未知discloser-claimed内容决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0316网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0316最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20020222 XMB cross-scripting脆弱性参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101447886404876&w=2参考:XF: xmb-php-css(8262)参考:网址:http://www.iss.net/security_center/static/8262.php参考:报价:4167参考:网址:http://www.securityfocus.com/bid/4167跨站点脚本漏洞在极端留言板(XMB)早1.6 x和允许远程攻击者执行脚本和其他XMB用户脚本插入一个IMG标记。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0316 3供应商确认:投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0317网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0317最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20020220短吻鳄安装插件允许任何软件安装参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101438671922874&w=2参考:MISC:http://www.gator.com/update/参考:XF: gator-activex-install(8266)参考:网址:http://www.iss.net/security_center/static/8266.php参考:报价:4161参考:网址:http://www.securityfocus.com/bid/4161短吻鳄ActiveX组件(IEGator.dll) 3.0.6.1允许远程web站点安装任意软件通过指定一个木马短吻鳄安装文件(setup.ex_) src参数。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0317 3供应商确认:未知的模糊的确认:2天披露后,供应商包括著名的“安全修复”链接在头版,导致一个更新页面。页面不包括足够的细节来确定供应商修复这个漏洞。下载“GatorSecurityFix。exe”计划和分析ASCII字符串在程序中,似乎是试图找到和删除IEGator。dll,但目前还不清楚这是一个关键因素的脆弱性,或部分更新的过程。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0319网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0319最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20020222 pforum:跨站脚本漏洞参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101446366708757&w=2参考:报价:4165参考:网址:http://www.securityfocus.com/bid/4165参考:XF: pforum-username-css(8263)参考:网址:http://www.iss.net/security_center/static/8263.php在edituser跨站脚本漏洞。php pforum 1.14和更早的允许远程攻击者执行脚本和偷饼干从其他用户通过Javascript的用户名。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0319 3供应商确认:未知的外国投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0320网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0320最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20020221远程崩溃在雅虎信使参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101439616623230&w=2参考:XF: yahoo-messenger-message-bo(8264)参考:网址:http://www.iss.net/security_center/static/8264.php参考:XF: yahoo-messenger-imvironment-bo(8265)参考:网址:http://www.iss.net/security_center/static/8265.php参考:报价:4162参考:网址:http://online.securityfocus.com/bid/4162参考:报价:4163参考:网址:http://online.securityfocus.com/bid/4163缓冲区溢出在雅虎信使5.0允许远程攻击者可能导致拒绝服务和执行任意代码通过一个长消息(1)或(2)IMvironment字段。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0320 3供应商确认:内容决定:SF-LOC包含:CD: EX-CLIENT-DOS建议排除问题,只引起DoS内部客户;然而,这个问题可能是一个可利用的缓冲区溢出(不是证明),这可能是一个更严重的问题。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0321网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0321最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20020221远程崩溃在雅虎信使参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101439616623230&w=2参考:XF: yahoo-messenger-username-spoof(8267)参考:网址:http://www.iss.net/security_center/static/8267.php参考:报价:4164参考:网址:http://www.securityfocus.com/bid/4164雅虎信使5.0允许远程攻击者欺骗其他用户通过修改使用欺骗的用户名和用户名对社会工程或拒绝服务(洪水)的攻击。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0321 3供应商确认:内容决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0322网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0322最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20020223 Re:远程崩溃在雅虎信使参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101466489113920&w=2参考:BUGTRAQ: 20020223 Re: Re:远程崩溃在雅虎信使参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101467298107635&w=2参考:报价:4173参考:网址:http://online.securityfocus.com/bid/4173雅虎信使4.0发送用户密码明文,这可能允许远程攻击者通过嗅探获得其他用户的权限。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0322 3供应商确认:内容决定:SF-LOC, DESIGN-NO-ENCRYPTION投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0323网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0323最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20020224 ScriptEase:网络服务器版本漏洞参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101465709621105&w=2comment2。市场在ScriptEase:网络服务器允许远程攻击者读取任意文件通过指定目标文件作为参数的URL。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0323 3供应商确认:投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0324网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0324最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20020224 Greymatter早1.21 c和-远程登录/接触引用传递:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101465343308249&w=2参考:MISC:http://www.dangerousmonkey.com/dangblog/dangarch/00000051.htm参考:XF: greymatter-gmrightclick-account-information(8277)参考:网址:http://www.iss.net/security_center/static/8277.php参考:报价:4169参考:网址:http://online.securityfocus.com/bid/4169Greymatter早1.21 c和启用了书签功能允许远程攻击者读取明文密码,通过猜测获得管理权限的名称gmrightclick - *。注册文件,其中包含明文的管理员名称和密码,然后检索文件从web服务器之前Greymatter管理员执行“明确和退出”行动。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0324 3供应商确认:没有争议争议可怜的配置包括:供应商有效的纠纷脆弱性的严重程度,因为一个合适的(即注销的工具。“明确和退出”)将最小化问题。然而,文件仍将出现在用户会话期间,这意味着有可能仍然是剥削的竞态条件。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0325网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0325最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20020226 BadBlue另一个目录遍历参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101474689126219&w=2参考:报价:4179参考:网址:http://www.securityfocus.com/bid/4179参考:XF: badblue-dotdotdot-directory-traversal(8295)参考:网址:http://www.iss.net/security_center/static/8295.php目录遍历脆弱性在BadBlue 1.6.1允许远程攻击者读取任意文件通过一个……(修改后的点点)的URL。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0325 3供应商确认:未知discloser-claimed投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0326网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0326最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20020226 BadBlue XSS漏洞/文件共享服务器虫参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101474387016066&w=2参考:报价:4180参考:网址:http://www.securityfocus.com/bid/4180参考:XF: badblue-url-css(8294)参考:网址:http://www.iss.net/security_center/static/8294.php跨站点脚本漏洞在BadBlue 1.6.1β可能允许远程攻击者执行任意脚本和额外的命令通过一个URL包含Javascript。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0326 3供应商确认:投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0327网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0327最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:VULN-DEV: 20020222 Censoft术语Emu转炉参考:网址:http://online.securityfocus.com/archive/82/257731参考:BUGTRAQ: 20020227世纪软件术语利用参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101477608215471&w=2参考:XF: term-tty-bo(8291)参考:网址:http://www.iss.net/security_center/static/8291.php参考:报价:4174参考:网址:http://online.securityfocus.com/bid/4174缓冲区溢出在世纪软件术语允许本地用户获得根权限通过长tty参数调入程序。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0327 3供应商确认:投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0328网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0328最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20020226 Re:打开公告板javascript错误。参考网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101475420818274&w=2参考:报价:4182参考:网址:http://online.securityfocus.com/bid/4182跨站点脚本漏洞在Ikonboard 3.0.1允许远程攻击者执行任意脚本和其他Ikonboard用户并通过Javascript偷饼干一个IMG标记。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0328 3供应商确认:投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0331网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0331最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20020227 BPM STUDIO专业版4.2目录逃避弱点参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101486044323352&w=2参考:XF: bpm-http-directory-traversal(8300)参考:网址:http://www.iss.net/security_center/static/8300.php参考:报价:4198参考:网址:http://online.securityfocus.com/bid/4198目录遍历脆弱性HTTP服务器的BPM Studio专业版4.2允许远程攻击者读取任意文件通过一个. .(点点)在HTTP请求。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0331 3供应商确认:投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0332网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0332最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20020227远程利用对xtelld和其他有趣的引用:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101494896516467&w=2参考:DEBIAN: dsa - 121参考:网址:http://www.debian.org/security/2002/dsa - 121参考:报价:4194参考:网址:http://www.securityfocus.com/bid/4194参考:XF: xtell-tty-directory-traversal(8313)参考:网址:http://www.iss.net/security_center/static/8313.php缓冲区溢出在xtell xtelld 1.91.1和早些时候,和2。x 2.7之前,允许远程攻击者执行任意代码通过(1)长DNS主机名使用反向DNS查找,确定(2)长身份验证字符串,或(3)某些xtell请求中的数据。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0332 3供应商确认:对咨询内容的决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0333网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0333最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20020227远程利用对xtelld和其他有趣的引用:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101494896516467&w=2参考:DEBIAN: dsa - 121参考:网址:http://www.debian.org/security/2002/dsa - 121参考:报价:4194参考:网址:http://www.securityfocus.com/bid/4194参考:XF: xtell-tty-directory-traversal(8313)参考:网址:http://www.iss.net/security_center/static/8313.php目录遍历脆弱性xtell xtelld 1.91.1和早些时候,和2。x 2.7之前,允许远程攻击者读取文件使用短名称,和本地用户阅读更多文件使用短名称的符号链接,通过. .TTY的论点。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0333 3供应商确认:对咨询内容的决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0334网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0334最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20020227远程利用对xtelld和其他有趣的引用:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101494896516467&w=2参考:DEBIAN: dsa - 121参考:网址:http://www.debian.org/security/2002/dsa - 121参考:报价:4197参考:网址:http://www.securityfocus.com/bid/4197参考:XF: xtell-log-symlink(8314)参考:网址:http://www.iss.net/security_center/static/8314.phpxtell (xtelld) 1.91.1早些时候,2。x 2.7之前,允许本地用户修改文件通过一个符号链接攻击.xtell-log文件。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0334 3供应商确认:对咨询内容的决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0335网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0335最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20020227 LBYTE&SECURITY。NNOV:缓冲区溢出在克里斯托弗参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101484128203523&w=2参考:报价:4186参考:网址:http://www.securityfocus.com/bid/4186参考:XF: worldgroup-http-get-bo(8298)参考:网址:http://www.iss.net/security_center/static/8298.php缓冲区溢出在Galacticomm克里斯托弗web server 3.20和更早的允许远程攻击者导致拒绝服务,并可能执行任意代码,通过一个HTTP GET请求。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0335 3供应商确认:内容决定:SF-EXEC, SF-CODEBASE投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0336网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0336最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20020227 LBYTE&SECURITY。NNOV:缓冲区溢出在克里斯托弗参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101484128203523&w=2参考:XF: worldgroup-ftp-list-bo(8297)参考:网址:http://www.iss.net/security_center/static/8297.php参考:报价:4185参考:网址:http://www.securityfocus.com/bid/41853.20和更早的缓冲区溢出在Galacticomm克里斯托弗FTP服务器允许远程攻击者导致拒绝服务,并可能执行任意代码,通过包含大量的命令列表/(削减),*(通配符),. .字符。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0336 3供应商确认:内容决定:SF-EXEC, SF-CODEBASE投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0337网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0337最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20020227 2 k,安装了RealPlayer 100% CPU利用率参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101495354424868&w=2参考:XF: realplayer-mp3-invalid-dos(8320)参考:网址:http://www.iss.net/security_center/static/8320.php参考:报价:4200参考:网址:http://www.securityfocus.com/bid/4200RealPlayer 8允许远程攻击者造成拒绝服务(CPU利用率)通过畸形的mp3文件。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0337 3供应商确认:内容决定:EX-CLIENT-DOS投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0338网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0338最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20020227安全。在蝙蝠NNOV:特殊设备访问!参考网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101483832026841&w=2参考:报价:4187参考:网址:http://www.securityfocus.com/bid/4187参考:XF: thebat-msdos-device-dos(8303)参考:网址:http://www.iss.net/security_center/static/8303.php蝙蝠!1.53 d和1.54测试版,可能还有其他版本,允许远程攻击者造成拒绝服务(崩溃)通过附件的名称包括一个ms - dos设备名称。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0338 3供应商确认:投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0340网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0340最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20020222 Windows媒体播放器执行WMF内容。mp3文件。参考网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101447771102582&w=2Windows媒体播放器(买理财产品买)8.00.00.4477,可能还有其他版本,自动检测并执行.wmf和其他内容,即使文件的扩展名或内容类型没有指定.wmf,这使得攻击者更容易进行未经授权的活动通过木马文件包含.wmf内容。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0340 3供应商确认:投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0341网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0341最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20020227 SecurityOffice安全顾问:/ / Novell GroupWise Web访问路径披露漏洞参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101494830315071&w=2GWWEB。EXE GroupWise Web Access 5.5,可能还有其他版本,允许远程攻击者决定的完整路径名与无效HTMLVER Web服务器通过一个HTTP请求参数。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0341 3供应商确认:内容的决定:重新发现,SF-LOC抽象:这看起来类似于- 1999 - 1006,但这个问题是在1999年报道的。然而,问题的类型似乎是相同的,以及受影响的版本(5.5),所以也许这两个问题应该合并。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0342网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0342最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20020226错误:Kmail客户机DoS参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101475683425671&w=2参考:XF: kmail-message-body-dos(8283)参考:网址:http://www.iss.net/security_center/static/8283.php参考:报价:4177参考:网址:http://www.securityfocus.com/bid/41771.2 Kmail KDE 2.1.1允许远程攻击者造成拒绝服务(崩溃)通过电子邮件消息的身体长约55公里。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0342 3供应商确认:未知的内容决定:EX-CLIENT-DOS包含:CD: EX-CLIENT-DOS表明,如果一个问题只会导致DoS在客户端,和问题的范围是有限的客户,和客户端只需要重启来解决这个问题,那么这个问题不应该被包括在CVE。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0343网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0343最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:vuln BUGTRAQ: 20020228热线客户简单密码。参考网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101495128121299&w=2参考:XF: hotline-connect-plaintext-password(8327)参考:网址:http://www.iss.net/security_center/static/8327.php参考:报价:4210参考:网址:http://www.securityfocus.com/bid/4210于热线客户1.8.5商店敏感的用户信息,包括密码、书签的明文文件,允许本地用户访问书签文件获得特权通过提取出密码。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0343 3供应商确认:内容决定:DESIGN-WEAK-ENCRYPTION投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0344网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0344最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20020225赛门铁克实时更新参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101466781122312&w=2参考:BUGTRAQ: 20020228 Re:“哈维尔·桑切斯jsanchez157@hotmail.com 02/25/2002十一14点,赛门铁克参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101496301307285&w=2参考:报价:4170参考:网址:http://www.securityfocus.com/bid/4170参考:XF: nav-liveupdate-plaintext-account(8282)参考:网址:http://www.iss.net/security_center/static/8282.php赛门铁克实时更新1.5和诺顿杀毒早些时候的本地实时更新服务器存储用户名和密码明文在注册表中,这可能允许远程攻击者冒充实时更新服务器。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0344 3供应商确认:是的后续内容决定:DESIGN-WEAK-ENCRYPTION投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0345网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0345最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20020301 Re:“彼得·米勒”pcmiller61@yahoo.com, 02/26/2002 03:48是Re:赛门铁克参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101529792821615&w=2参考:BUGTRAQ: 20020226 RE:赛门铁克实时更新参考:网址:http://online.securityfocus.com/archive/1/258293参考:报价:4181参考:网址:http://www.securityfocus.com/bid/4181参考:XF: ghost-plaintext-account(8305)参考:网址:http://www.iss.net/security_center/static/8305.php赛门铁克鬼7.0存储用户名和密码明文在NGServer \ params注册表键,这可能允许攻击者获得特权。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0345 3供应商确认:没有争议内容决定:DESIGN-WEAK-ENCRYPTION,包容包容:由赛门铁克的帖子(和另一个由一个独立的政党)声称,关键是只访问管理员帐户。如果是这样的话,那么有很少或没有获得这些信息,已经不能获得使用管理员权限。也许这个问题不应被包括在CVE。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0346网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0346最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20020228 Colbalt-RAQ-v4-Bugs&Vulnerabilities参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101495944202452&w=2参考:报价:4211参考:网址:http://www.securityfocus.com/bid/4211参考:XF: cobalt-raq-css(8321)参考:网址:http://www.iss.net/security_center/static/8321.php在钴RAQ 4跨站点脚本漏洞允许远程攻击者执行任意脚本和其他用户通过一个URL的Javascript钴(1)服务。cgi或(2)alert.cgi。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0346 3供应商确认:内容决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0347网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0347最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20020228 Colbalt-RAQ-v4-Bugs&Vulnerabilities参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101495944202452&w=2参考:报价:4208参考:网址:http://www.securityfocus.com/bid/4208参考:XF: cobalt-raq-directory-traversal(8322)参考:网址:http://www.iss.net/security_center/static/8322.php目录遍历钴RAQ 4中漏洞允许远程攻击者读取密码保护的文件,并可能文件在web根,通过. .(点点)在一个HTTP请求。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0347 3供应商确认:内容决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0348网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0348最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20020228 Colbalt-RAQ-v4-Bugs&Vulnerabilities参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101495944202452&w=2参考:XF: cobalt-raq-service-dos(8323)参考:网址:http://www.iss.net/security_center/static/8323.php参考:报价:4209参考:网址:http://www.securityfocus.com/bid/4209服务。cgi钴RAQ 4允许远程攻击者引起拒绝服务,并可能执行任意代码,通过长期服务的论点。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0348 3供应商确认:投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0349网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0349最终决定:阶段性裁决:修改:建议:20020502分配:20020501类别:科幻参考:BUGTRAQ: 20020228…微小的个人防火墙…参考网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101494587110288&w=2参考:报价:4207参考:网址:http://www.securityfocus.com/bid/4207参考:XF: tinyfw-popup-gain-access(8324)参考:网址:http://www.iss.net/security_center/static/8324.php微小的个人防火墙(锥度英尺)2.0.15,在某些配置,系统会弹出一个警告,即使屏幕被锁定,这可能允许攻击者与机器的物理访问隐藏活动或绕过访问限制。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0349 3供应商确认:投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论: