(日期:][下一个日期][线程:][线程下][日期索引][线程索引]
(提案)集群最近50 - 89的候选人
- 来:cve-editorial-board-list@lists.mitre.org
- 主题(建议):集群最近50 - 89的候选人
- 从:“史蒂文·m·Christey " <coley@linus.mitre.org>
- 日期-0400年:星期二,2002年6月11日01:22:02(美国东部时间)
- 交货日期:2002年6月11日01:22:08星期二
- 发送方:owner-cve-editorial-board-list@lists.mitre.org
我最近提出集群——89年由编辑委员会审查和投票。名称:最近- 89描述:候选人宣布1/2/2002和3/9/2002之间尺寸:50通过修改这封邮件你可能投票的候选人投票,将它寄回给我,或通过使用CVE投票网站。中列出的候选人优先秩序。优先级1和优先级2的候选人都应对不同层次的供应商确认,所以他们应该易于检查和可以信任的,是真实的问题。如果你发现任何RECENT-XX集群是不完整的对过程中发现的问题相关的时间框架,请发送信息给我,这样候选人可以被指定。——史蒂夫总结的选票使用(“严重程度”的按升序)- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -接受——选民接受候选人提出等待——选民对候选人没有意见修改选民想要改变一些小细节(例如参考/描述)审查-选民正在审查/研究候选人,或需要更多的信息,重塑候选人必须大幅修改,如分割或合并拒绝候选人不是“漏洞”,或重复等。1)请写你的投票在直线上,从“投票:”开始。如果你想添加评论或细节,在投票后将它们添加到线:线。2)如果你看到任何失踪的引用,请提及他们,使他们可以包括在内。在映射引用帮助极大。3)请注意,“修改”被视为一个“接受”当计算选票。 So if you don't have sufficient information for a candidate but you don't want to NOOP, use a REVIEWING. ********** NOTE ********** NOTE ********** NOTE ********** NOTE ********** Please keep in mind that your vote and comments will be recorded and publicly viewable in the mailing list archives or in other formats. ====================================================== Candidate: CAN-2002-0006 URL:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0006最终决定:阶段性裁决:修改:建议:20020611分配:20020108类别:科幻参考:BUGTRAQ: 20020109 xchat IRC会话劫持漏洞(1.4.1,版本1.4.2)参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101060676210255&w=2参考:DEBIAN: dsa - 099参考:网址:http://www.debian.org/security/2002/dsa - 099参考:REDHAT: RHSA-2002:005参考:网址:http://rhn.redhat.com/errata/rhsa - 2002 - 005. - html参考:惠普:hpsbtl0201 - 016参考:网址:http://online.securityfocus.com/advisories/3806参考:CONECTIVA: CLA-2002:453参考:网址:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000453参考:XF: xchat-ctcp-ping-command(7856)参考:网址:http://xforce.iss.net/static/7856.php参考:报价:3830参考:网址:http://www.securityfocus.com/bid/3830XChat 1.8.7,早些时候,包括默认配置1.4.2和3,允许远程攻击者执行任意的IRC命令其他客户通过编码字符在PRIVMSG CTCP PING命令调用,它扩展了字符percascii变量被设置时客户端响应。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0006 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0363网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0363最终决定:阶段性裁决:修改:建议:20020611分配:20020507类别:科幻参考:MISC:http://www.ghostscript.com/pipermail/gs-code-review/2002-January/001801.html参考:MISC:http://www.ghostscript.com/pipermail/gs-code-review/2002-February/001900.html参考:REDHAT: RHSA-2002:083参考:网址:http://www.redhat.com/support/errata/rhsa - 2002 - 083. - html内容之前6.53允许攻击者利用.locksafe或执行任意命令.setsafe重置当前pagedevice。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0363 1供应商确认:是的投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0412网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0412最终决定:阶段性裁决:修改:建议:20020611分配:20020607类别:科幻参考:BUGTRAQ: 20020304 [H20020304]:远程利用ntop参考格式字符串漏洞:网址:http://online.securityfocus.com/archive/1/259642参考:BUGTRAQ: 20020411警报警报警报警报警报警报警报警报警报警报警报参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101854261030453&w=2参考:BUGTRAQ: 20020411 re:消耗ntop警报参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101856541322245&w=2ntop参考参考:BUGTRAQ: 20020417段错误:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101908224609740&w=2参考:VULNWATCH: 20020304 [VULNWATCH] [H20020304]:远程利用ntop参考格式字符串漏洞:网址:http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0056.html参考:确认:http://snapshot.ntop.org/参考:MISC:http://listmanager.unipi.it/pipermail/ntop-dev/2002-February/000489.html参考:XF: ntop-traceevent-format-string(8347)参考:网址:http://www.iss.net/security_center/static/8347.php参考:报价:4225参考:网址:http://www.securityfocus.com/bid/4225格式字符串漏洞在2.1前ntop TraceEvent函数允许远程攻击者执行任意代码,导致格式字符串被注入到syslog调用函数,通过(1)一个HTTP GET请求,(2)在HTTP身份验证用户名,或(3)在HTTP身份验证密码。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0412 1供应商确认:是的咨询确认:在首页,供应商有一个项目3月5日,2002年,国家“安全暴露(远程代码执行)据报道,ntop bugtraq (bugtraq@securityfocus.com)的全息图”——原大参考bugtraq。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0414网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0414最终决定:阶段性裁决:修改:建议:20020611分配:20020607类别:科幻参考:BUGTRAQ: 20020304 BSD: IPv4转发不咨询入站SPD KAME-derived IPsec参考:网址:http://www.securityfocus.com/archive/1/259598参考:确认:http://orange.kame.net/dev/cvsweb.cgi/kame/CHANGELOG参考:报价:4224参考:网址:http://www.securityfocus.com/bid/4224参考:XF: kame-forged-packet-forwarding(8416)参考:网址:http://www.iss.net/security_center/static/8416.php参考:VULNWATCH: 20020304 [VULNWATCH] BSD: IPv4转发不咨询入站SPD KAME-derived IPsec参考:网址:http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0057.htmlNetBSD 1.5.2 KAME-derived实现IPsec, FreeBSD 4.5,和其他操作系统,不适当的咨询安全策略数据库(SPD),这可能会导致一个安全网关(SG)不使用封装安全载荷(ESP)将伪造的IPv4转发数据包。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0414 1供应商确认:是的、确认:在更新日志项过时“Mon 2:00:06 2002年2月25日,供应商说“执行ipsec策略检查转发情况”和学分Bugtraq海报。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0423网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0423最终决定:阶段性裁决:修改:建议:20020611分配:20020607类别:科幻参考:BUGTRAQ: 20020306 efingerd远程缓冲区溢出和危险特性参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-03/0050.html参考:确认:http://melkor.dnp.fmph.uniba.sk/ garabik / efingerd / efingerd_1.5.tar.gz参考:报价:4239参考:网址:http://www.securityfocus.com/bid/4239参考:XF: efingerd-reverse-lookup-bo(8380)参考:网址:http://www.iss.net/security_center/static/8380.php早些时候在efingerd 1.5和缓冲区溢出,可能高达1.61,允许远程攻击者可能导致拒绝服务和执行任意代码通过一个手指要求获得有着悠久主机名的IP地址,通过反向DNS查找。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0423 1供应商确认:是的补丁确认:考试1.6.2的源代码的一个孩子。c文件,首次披露约会几周后,唯一的变化是终止的字符串复制。但是源代码显示了strncpy调用,而不是拷贝字符串所宣称的揭露者。回顾旧版本的源代码,似乎第一次尝试解决溢出是在version 1.5中,在那里拷贝字符串被strncpy所取代。然而,由于字符串不是零终止直到1.6.2,揭露者可能认为溢出仍然存在,因为他们至少还能引发崩溃。目前尚不清楚无端接的字符串通过1.6.2版本1.5是可利用的。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0424网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0424最终决定:阶段性裁决:修改:建议:20020611分配:20020607类别:科幻参考:BUGTRAQ: 20020306 efingerd远程缓冲区溢出和危险特性参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-03/0050.html参考:确认:http://melkor.dnp.fmph.uniba.sk/ garabik / efingerd / efingerd_1.6.2.tar.gz参考:报价:4240参考:网址:http://www.securityfocus.com/bid/4240参考:XF: efingerd-file-execution(8381)参考:网址:http://www.iss.net/security_center/static/8381.phpefingerd 1.61和更早,当配置没有- u选项,执行.efingerd文件efingerd用户(通常是“没有人”),它允许本地用户获得特权作为efingerd用户通过修改自己的手指.efingerd文件并运行。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0424 1供应商确认:是的、确认:供应商承认但在1.6.2并不解决问题。README文件efingerd 1.6.2包含了一个新的“安全注意事项”部分指出:“除非使用- u选项运行,efingerd执行…(.efingerd文件)在相同UID efingerd守护进程…这意味着用户可以获得这个UID很容易。”For the purposes of CVE, vendor acknowledgement is all that is necessary. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0429 URL:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0429最终决定:阶段性裁决:修改:建议:20020611分配:20020607类别:科幻参考:BUGTRAQ: 20020308 < = 2.4.18 x86 linux陷阱。c问题参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101561298818888&w=2参考:确认:http://www.openwall.com/linux/参考:报价:4259参考:网址:http://online.securityfocus.com/bid/4259iBCS例程在arch / i386 / kernel /陷阱。c x86上的Linux内核2.4.18早些时候,系统允许本地用户杀死任意流程通过二进制兼容性接口(lcall)。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0429 1供应商确认:是的确认:Openwall主页有一个项日期为3月3日,2002年,即“Linux 2.2.20-ow2修复一个x86-specific脆弱性在Linux内核中发现的Stephan Springl当地用户可以虐待一个二进制兼容性接口(lcall)杀死进程不属于他们。”投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0497网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0497最终决定:阶段性裁决:修改:建议:20020611分配:20020607类别:科幻参考:BUGTRAQ: 20020306地铁0.45,0.46参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-03/0048.html参考:DEBIAN: dsa - 124参考:网址:http://www.debian.org/security/2002/dsa - 124参考:报价:4217参考:网址:http://www.securityfocus.com/bid/4217参考:XF: mtr-options-bo(8367)参考:网址:http://www.iss.net/security_center/static/8367.php早些时候在地铁0.46和缓冲区溢出,当安装setuid root,允许本地用户访问原始套接字通过长MTR_OPTIONS环境变量。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0497 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0517网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0517最终决定:阶段性裁决:修改:建议:20020611分配:20020607类别:科幻参考:BUGTRAQ: 20020108 dtterm利用安装7.1.1 Unixware参考:网址:http://www.securityfocus.com/archive/1/249106参考:BUGTRAQ: 20020108 xterm中利用Unixware 7.0.1参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-01/0099.html参考:火山口:综援- 2002上海合作组织。15参考:网址:ftp://stage.caldera.com/pub/security/openunix/cssa - 2002 sco.15/cssa - 2002 sco.15.txt参考:报价:4502参考:网址:http://www.securityfocus.com/bid/4502参考:XF: unixware-openunix-dtterm-bo(7282)参考:网址:http://www.iss.net/security_center/static/7282.php参考:XF: x11-xrm-bo(8828)参考:网址:http://www.iss.net/security_center/static/8828.php缓冲区溢出在X11图书馆(libX11)火山口开放UNIX 8.0.0,安装7.1.1 UnixWare,和可能的其他操作系统,允许本地用户获得根权限通过长-xrm参数程序,如(1)dtterm或(2)xterm。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0517 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0567网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0567最终决定:阶段性裁决:修改:建议:20020611分配:20020607类别:科幻参考:BUGTRAQ: 20020206远程Oracle 9 i数据库服务器引用妥协:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101301332402079&w=2参考:CERT-VN: VU # 180147参考:网址:http://www.kb.cert.org/vuls/id/180147参考:CERT: ca - 2002 - 08年参考:网址:http://www.cert.org/advisories/ca - 2002 - 08. - html参考:确认:http://otn.oracle.com/deploy/security/pdf/plsextproc_alert.pdf参考:报价:4033参考:网址:http://www.securityfocus.com/bid/4033参考:XF: oracle-plsql-remote-access(8089)参考:网址:http://xforce.iss.net/static/8089.phpOracle 8和9我与PL / SQL包外部程序(EXTPROC)允许远程攻击者绕过身份验证和执行任意函数通过使用TNS侦听器直接连接到EXTPROC过程。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0567 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0568网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0568最终决定:阶段性裁决:修改:建议:20020611分配:20020607类别:科幻参考:BUGTRAQ: 20020206 Hackproofing Oracle应用服务器论文参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101301813117562&w=2参考:CERT: ca - 2002 - 08年参考:网址:http://www.cert.org/advisories/ca - 2002 - 08. - html参考:CERT-VN: VU # 476619参考:网址:http://www.kb.cert.org/vuls/id/476619参考:MISC:http://www.nextgenss.com/papers/hpoas.pdf参考:报价:4290参考:网址:http://www.securityfocus.com/bid/4290Oracle 9 i应用服务器存储XSQL不安全地和SOAP的配置文件,它允许本地用户获取敏感信息包括用户名和密码通过请求(1)XSQLConfig。xml或(2)soapConfig。通过一个虚拟目录的xml。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0568 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0569网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0569最终决定:阶段性裁决:修改:建议:20020611分配:20020607类别:科幻参考:BUGTRAQ: 20020206 Hackproofing Oracle应用服务器论文参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101301813117562&w=2参考:CERT-VN: VU # 977251参考:网址:http://www.kb.cert.org/vuls/id/977251参考:CERT: ca - 2002 - 08年参考:网址:http://www.cert.org/advisories/ca - 2002 - 08. - html参考:MISC:http://www.nextgenss.com/papers/hpoas.pdf参考:报价:4298参考:网址:http://www.securityfocus.com/bid/4298Oracle 9 i应用服务器允许远程攻击者绕过访问限制,通过直接请求XSQL Servlet配置文件(XSQLServlet)。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0569 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0406网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0406最终决定:阶段性裁决:修改:建议:20020611分配:20020607类别:科幻参考:BUGTRAQ: 20020302拒绝服务Sphereserver参考:网址:http://online.securityfocus.com/archive/1/259334参考:XF: sphereserver-connections-dos(8338)参考:网址:http://www.iss.net/security_center/static/8338.php参考:报价:4258参考:网址:http://www.securityfocus.com/bid/4258Menasoft球体server 0.99和0.5 x允许远程攻击者造成拒绝服务通过建立大量的连接到服务器没有提供登录凭证,从而防止其他用户无法登录。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0406 3供应商确认:投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0407网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0407最终决定:阶段性裁决:修改:建议:20020611分配:20020607类别:科幻参考:BUGTRAQ: 20020207 Re:毕马威- 2002004:Lotus Domino网络服务器DOS-device拒绝服务引用:网址:http://online.securityfocus.com/archive/1/254768毕马威参考:BUGTRAQ: 20020402 - 2002006: Lotus Domino物理路径显示参考:网址:http://www.securityfocus.com/archive/1/265380参考:报价:4406参考:网址:http://www.securityfocus.com/bid/4406参考:XF: lotus-domino-reveal-information(8160)参考:网址:http://www.iss.net/security_center/static/8160.phphtcgibin。exe在Lotus Domino服务器5.0.9a早些时候,允许远程攻击者通过请求确定服务器的物理路径名包含特定的ms - dos com5等设备名称,如(1)”的请求. pl或. java扩展,或(2)一个请求包含大量的时期,这导致htcgibin。exe泄漏路径名的一条错误消息。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0407 3供应商确认:未知discloser-claimed内容决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0408网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0408最终决定:阶段性裁决:修改:建议:20020611分配:20020607类别:科幻参考:BUGTRAQ: 20020207 Re:毕马威- 2002004:Lotus Domino网络服务器DOS-device拒绝服务引用:网址:http://online.securityfocus.com/archive/1/254768参考:BUGTRAQ: 20020303 Re:毕马威- 2002006:Lotus Domino物理路径显示参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101785616526383&w=2参考:报价:4049参考:网址:http://www.securityfocus.com/bid/4049htcgibin。exe在Lotus Domino服务器5.0.9a和早些时候,当配置了NoBanner设置,允许远程攻击者来确定服务器的版本号通过请求生成一个HTTP 500错误代码,这泄漏版本在一个硬编码的错误消息。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0408 3供应商确认:未知discloser-claimed内容决定:SF-LOC ABSTARCTION:这有一些重叠(2)- 2002 - 0245项,尽管不同版本都受到影响。这些可能是相同的底层问题(在Domino配置或设计问题),跨越多个版本。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0409网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0409最终决定:阶段性裁决:修改:建议:20020611分配:20020607类别:科幻参考:BUGTRAQ: 20020303 iBuySpy商店洞参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101518860823788&w=2orderdetails。aspx, Microsoft . net开发人员可用的示例代码,并演示了在www.ibuyspystore.com上,允许远程攻击者查看其他用户的订单修改OrderID参数。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0409 3供应商确认:内容决定:EX-ONLINE-SVC包含:CD: EX-ONLINE-SVC通常建议在线服务或应用程序服务提供者从CVE被排除在外。然而,在这种情况下,揭露者声称,微软“鼓励开发人员查看和复制的代码自己的项目,“这使得这种类似于一个分布的软件其他政党。因此,这个问题应该被包括在CVE。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0410网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0410最终决定:阶段性裁决:修改:建议:20020611分配:20020607类别:科幻参考:BUGTRAQ: 20020303 AeroMail多个漏洞参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-03/0004.html参考:确认:http://the.cushman.net/projects/aeromail/download/aeromail-1.45.tar.gz参考:MISC:http://the.cushman.net/projects/aeromail/download/参考:XF: aeromail-obtain-files(8345)参考:网址:http://www.iss.net/security_center/static/8345.php参考:报价:4214参考:网址:http://www.securityfocus.com/bid/4214的send_message。php在AeroMail 1.45允许远程攻击者读取任意文件在服务器上,而不是仅仅上传文件,通过修改文件名上传一个附件。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0410 3供应商确认:是的补丁内容决定:SF-LOC确认:供应商下载页面,一个简短的1.45版本更改日志说“修补安全漏洞,”不够明确,以确保供应商是修补* *脆弱性。然而,看看第25行send_message。php显示调用一个函数is_uploaded_file(),这是一个有条件的一部分,决定是否应该附加一个文件。这个函数不被称为在版本1.40 -最新版本1.45 -基于源代码的比较。因此,尽管从供应商书面确认是模糊,源代码的检查显示一个补丁,解决这个问题。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0411网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0411最终决定:阶段性裁决:修改:建议:20020611分配:20020607类别:科幻参考:BUGTRAQ: 20020303 AeroMail多个漏洞参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-03/0004.html参考:确认:http://the.cushman.net/projects/aeromail/download/aeromail-1.45.tar.gz参考:报价:4215参考:网址:http://www.securityfocus.com/bid/4215参考:XF: aeromail-subject-css(8346)参考:网址:http://www.iss.net/security_center/static/8346.php跨站点脚本漏洞的消息。php之前AeroMail 1.45允许远程攻击者执行Javascript作为AeroMail用户通过电子邮件主题中的脚本。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0411 3供应商确认:是的补丁内容决定:SF-LOC确认:供应商下载页面,一个简短的1.45版本更改日志说“修补安全漏洞,”不够明确,以确保供应商是修补* *脆弱性。然而,一看第7行信息。php表示调用一个函数htmlspecialchars函数()而构建主题。这个函数不被称为在版本1.40 -最新版本1.45 -基于源代码的比较。因此,尽管从供应商书面确认是模糊,源代码的检查显示一个补丁,解决这个问题。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0413网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0413最终决定:阶段性裁决:修改:建议:20020611分配:20020607类别:科幻参考:BUGTRAQ: 20020304 ReBB javascripts脆弱性参考:网址:http://online.securityfocus.com/archive/1/259464参考:报价:4220参考:网址:http://www.securityfocus.com/bid/4220参考:XF: rebb-img-css(8353)参考:网址:http://www.iss.net/security_center/static/8353.php跨站点脚本漏洞ReBB允许远程攻击者执行任意Javascript和偷饼干通过IMG标记的URL包含恶意脚本。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0413 3供应商确认:投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0415网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0415最终决定:阶段性裁决:修改:建议:20020611分配:20020607类别:科幻参考:BUGTRAQ: 20020302 RealPlayer错误引用:网址:http://www.securityfocus.com/archive/1/259333参考:报价:4221参考:网址:http://www.securityfocus.com/bid/4221参考:XF: realplayer-http-directory-traversal(8336)参考:网址:http://www.iss.net/security_center/static/8336.php目录遍历脆弱性RealPlayer 6.0.7中使用的web服务器,可能还有其他版本,允许本地用户阅读文件访问RealPlayer通过. .(点点)在HTTP GET请求端口1275。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0415 3供应商确认:包含:后续讨论Bugtraq表明RealPlayer似乎限制访问localhost,这限制了只本地用户的问题。从理论上讲,这样的本地用户访问文件系统的全部或大部分。然而,它是可能的,RealPlayer访问某些文件,其他用户不会;此外,攻击者读取原始设备文件导致拒绝服务。因此,虽然这个漏洞的范围是有限的,在某些情况下,攻击者可以进行未经授权的活动。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0416网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0416最终决定:阶段性裁决:修改:建议:20020611分配:20020607类别:科幻参考:BUGTRAQ: 20020305缓冲区溢出在sh39.com参考:网址:http://www.securityfocus.com/archive/1/259818参考:报价:4232参考:网址:http://www.securityfocus.com/bid/4232参考:XF: sh39-mailserver-dos(8379)参考:网址:http://www.iss.net/security_center/static/8379.php缓冲区溢出SH39服务器1.21和更早的允许远程攻击者引起拒绝服务,并可能执行任意代码,通过一个长命令SMTP端口。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0416 3供应商确认:未知discloser-claimed投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0417网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0417最终决定:阶段性裁决:修改:建议:20020611分配:20020607类别:科幻参考:BUGTRAQ: 20020305恩底弥翁SakeMail和邮差文件披露漏洞参考:网址:http://online.securityfocus.com/archive/1/259730参考:确认:http://www.endymion.com/products/mailman/history.htm参考:XF: mailman-alternate-templates-traversal(8357)参考:网址:http://www.iss.net/security_center/static/8357.php参考:报价:4222参考:网址:http://www.securityfocus.com/bid/4222目录遍历脆弱性恩底弥翁邮差之前3.1允许远程攻击者读取任意文件通过一个. .(点点)和一个空字符ALTERNATE_TEMPLATES参数对各种mmstdo *。cgi程序。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0417 3供应商确认:是的更新日志内容决定:SF-CODEBASE确认:邮差的历史文件包含一个条目3月6日,2002年,描述了一个“小安全修订,以防止文件披露的洞。”ABSTRACTION: CD:SF-CODEBASE suggests performing a SPLIT when there appear to be different bugs of the same type, in different packages offered by the vendor. Therefore the MailMan and SakeMail are kept separate. In addition, the bug has been fixed in MailMan but not in SakeMail as of this writing. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0418 URL:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0418最终决定:阶段性裁决:修改:建议:20020611分配:20020607类别:科幻参考:BUGTRAQ: 20020305恩底弥翁SakeMail和邮差文件披露漏洞参考:网址:http://online.securityfocus.com/archive/1/259730参考:报价:4223参考:网址:http://www.securityfocus.com/bid/4223参考:XF: sakemail-paramname-directory-traversal(8358)参考:网址:http://www.iss.net/security_center/static/8358.php目录遍历com.endymion.sake.servlet.mail脆弱性。MailServlet servlet的恩底弥翁SakeMail 1.0.36早些时候,允许远程攻击者读取任意文件通过一个. .(点点)和一个空字符param_name参数。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0418 3供应商确认:未知的内容决定:SF-CODEBASE抽象:CD: SF-CODEBASE建议执行分割时出现不同的相同类型的错误,在不同供应商提供的包。因此邮递员和SakeMail分开。此外,错误已经固定在SakeMail邮差但不是在撰写本文时。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0419网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0419最终决定:阶段性裁决:修改:建议:20020611分配:20020607类别:科幻参考:BUGTRAQ: 20020305考虑IIS身份验证(# NISR05032002C)参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101535399100534&w=2参考:XF: iis-authentication-error-messages(8382)参考:网址:http://www.iss.net/security_center/static/8382.php参考:报价:4235参考:网址:http://www.securityfocus.com/bid/4235信息泄漏在IIS 4通过5.1允许远程攻击者更容易获取潜在的敏感信息或进行强力攻击通过来自服务器的响应(1)的服务器显示支持基本还是NTLM身份验证在401年拒绝访问错误消息,(2)在某些配置,提供了服务器IP地址作为基本身份验证的领域,从而揭示被NAT的实际IP地址,或(3)使用NTLM身份验证时,服务器的NetBIOS名称及其Windows NT域显示一个授权请求的响应。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0419 3供应商确认:没有大参考索赔纠纷内容决定:SF-LOC抽象:CD: SF-LOC表明合并都是同一类型的问题。在这种情况下,所有这些问题是信息泄漏。然而,信息泄漏并不像一个类被充分研究过的,可能会有低级类别中,这个项目可能会分裂。包含:信息泄露是一个风险。因此,这个项目应该包含在CVE。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0420网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0420最终决定:阶段性裁决:修改:建议:20020611分配:20020607类别:科幻参考:BUGTRAQ: 20020305 PureTLS安全声明:升级到0.9 b2参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-03/0056.html参考:报价:4237参考:网址:http://www.securityfocus.com/bid/4237参考:XF: puretls-injection-attack(8386)参考:网址:http://www.iss.net/security_center/static/8386.php相关漏洞在PureTLS 0.9 b2注入攻击,这可能允许远程攻击者腐败或劫持用户会话。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0420 3供应商确认:是的内容决定:模糊包含:CD:模糊表明即使安全问题报告的供应商,没有细节,它应该被包括在CVE因为有很高的信心,这个问题是真实的。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0421网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0421最终决定:阶段性裁决:修改:建议:20020611分配:20020607类别:科幻参考:BUGTRAQ: 20020306 NT用户(锁定改变他/她的密码,管理员)可以绕过安全政策和更改密码。参考网址:http://online.securityfocus.com/archive/1/259963参考:报价:4236参考:网址:http://www.securityfocus.com/bid/4236参考:XF: winnt-pw-policy-bypass(8388)参考:网址:http://www.iss.net/security_center/static/8388.phpIIS 4.0允许本地用户绕过“用户不能更改密码”政策被直接调用Windows NT / iisadmpwd .htr密码改变项目目录,包括(1)aexp2。(2)aexp2b htr。(3)aexp3 htr。htr,或(4)aexp4.htr。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0421 3供应商确认:未知discloser-claimed投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0422网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0422最终决定:阶段性裁决:修改:建议:20020611分配:20020607类别:科幻参考:BUGTRAQ: 20020305 IIS内部IP地址信息披露(# NISR05032002B)参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101536634207324&w=2参考:NTBUGTRAQ: 20020305 IIS内部IP地址信息披露(# NISR05032002B)参考:网址:http://marc.theaimsgroup.com/?l=ntbugtraq&m=101535147125320&w=2IIS 5和5.1支持WebDAV方法允许远程攻击者确定系统的内部IP地址(可能是被NAT)通过(1)PROPFIND HTTP请求和一个空白的主机头,这泄漏的地址在一个207 Multi-Status响应一个HREF属性,或(2)通过写MKCOL方法,泄漏位置服务器的IP报头。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0422 3供应商确认:内容决定:SF-LOC抽象:CD: SF-LOC表明分割当问题出现在不同的版本。这些信息泄漏只出现在IIS 5.0及以上,而基本/ NTLM泄漏也在IIS 4.0。因此这两个项目应该是分裂。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0425网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0425最终决定:阶段性裁决:修改:建议:20020611分配:20020607类别:科幻参考:BUGTRAQ: 20020306 mIRC DCC参考服务器安全缺陷:网址:http://online.securityfocus.com/archive/1/260244参考:XF: mirc-dcc-reveal-info(8393)参考:网址:http://www.iss.net/security_center/static/8393.php参考:报价:4247参考:网址:http://www.securityfocus.com/bid/4247mIRC DCC服务器协议允许远程攻击者获得敏感信息,如通过“100”测试消息交替IRC昵称的DCC连接请求不能被忽视或取消的用户,这可能泄漏备用昵称在响应消息。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0425 3供应商确认:投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0426网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0426最终决定:阶段性裁决:修改:建议:20020611分配:20020607类别:科幻参考:BUGTRAQ: 20020308路由器BEFVP41 VPN服务器不遵循适当的VPN标准参考:网址:http://online.securityfocus.com/archive/1/260613参考:MISC:ftp://ftp.linksys.com/pub/befsr41/befvp41 - 1402. - zip参考:XF: linksys-etherfast-weak-encryption(8397)参考:网址:http://www.iss.net/security_center/static/8397.php参考:报价:4250参考:网址:http://www.securityfocus.com/bid/4250VPN服务器模块在路由器EtherFast BEFVP41电缆/ DSL VPN路由器之前1.40.1降低了密钥的密钥长度提供通过手工关键条目,这使得攻击者更容易破解的关键。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0426 3供应商确认:未知的模糊的内容决定:DESIGN-WEAK-ENCRYPTION确认:供应商提供了* *的补丁,但尚不清楚是否解决这个漏洞。的历史。txt文件补丁包含一个条目的日期为2002-03-01,说“在手动键控选项,最大短语加密密钥的长度改变从23到24个字符。”However, this item specifically talks about the phrase length and not the key length, and the number of characters is not consistent with what the original discloser said. Therefore there is insufficient information to be certain that the patch addresses this vulnerability. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0427 URL:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0427最终决定:阶段性裁决:修改:建议:20020611分配:20020607类别:科幻参考:曼德拉草:MDKSA-2002:021参考:网址:http://www.linux mandrake.com/en/security/2002/mdksa - 2002 - 021. - php参考:FREEBSD: FreeBSD-SA-02:17参考:网址:ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:17.mod_frontpage.asc参考:报价:4251参考:网址:http://www.securityfocus.com/bid/4251参考:XF: apache-modfrontpage-bo(8400)参考:网址:http://www.iss.net/security_center/static/8400.php缓冲区溢出在fpexec mod_frontpage 1.6.1之前可能允许攻击者获得根权限。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0427 3供应商确认:对咨询内容的决定:SF-LOC准确性:曼德拉草咨询说问题是远程,但FreeBSD顾问说,问题是当地的。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0428网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0428最终决定:阶段性裁决:修改:建议:20020611分配:20020607类别:科幻参考:BUGTRAQ: 20020308检查点FW1 SecuRemote / SecureClient“重复认证”(客户端攻击users.C)参考:网址:http://online.securityfocus.com/archive/1/260662参考:报价:4253参考:网址:http://www.securityfocus.com/bid/4253参考:XF: fw1-authentication-bypass-timeouts(8423)参考:网址:http://www.iss.net/security_center/static/8423.php检查防火墙1 SecuRemote / SecuClient 4.0和4.1允许客户绕过身份验证超时”通过修改to_expire或到期值在客户机的用户。C配置文件。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0428 3供应商确认:未知discloser-claimed确认:原文包含电子邮件附件,据说来自核对点,但这并不是足够清晰证明供应商已经公开承认这个问题。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0430网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0430最终决定:阶段性裁决:修改:建议:20020611分配:20020607类别:科幻参考:BUGTRAQ: 20020308远程钴Raq XTR vulns参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-03/0081.html参考:报价:4252参考:网址:http://online.securityfocus.com/bid/4252MultiFileUploadHandler。php在阳光下钴RaQ XTR管理界面允许本地用户绕过身份验证和覆盖任意文件通过一个符号链接攻击一个临时文件,要求MultiFileUpload.php紧随其后。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0430 3供应商确认:内容决定:SF-LOC抽象:CD: SF-LOC表明执行划分不同类型的漏洞。这是一个“复合”漏洞的缺乏认证发挥作用使得攻击者更容易进行符号链接攻击,但尚不清楚是否添加身份验证可以解决符号链接的问题。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0431网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0431最终决定:阶段性裁决:修改:建议:20020611分配:20020607类别:科幻参考:BUGTRAQ: 20020309 xtux服务器DoS。参考网址:http://online.securityfocus.com/archive/1/260912参考:MISC:https://sourceforge.net/tracker/index.php?func=detail&aid=529046&group_id=206&atid=100206参考:报价:4260参考:网址:http://www.securityfocus.com/bid/4260参考:XF: xtux-server-dos(8422)参考:网址:http://www.iss.net/security_center/static/8422.phpXTux允许远程攻击者造成拒绝服务(CPU消耗)通过随机输入的初始连接。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0431 3供应商确认:确认:在撰写本文时(20020514),一个错误报告提交20020319,但是供应商没有回应。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0432网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0432最终决定:阶段性裁决:修改:建议:20020611分配:20020607类别:科幻参考:BUGTRAQ: 20020309 Citadel /用户体验服务器远程DoS攻击漏洞参考:网址:http://online.securityfocus.com/archive/1/260934参考:确认:http://uncensored.citadel.org/pub/citadel/citadel-ux-5.91.tar.gz参考:XF: citadel-helo-bo(8426)参考:网址:http://www.iss.net/security_center/static/8426.php参考:报价:4263参考:网址:http://www.securityfocus.com/bid/4263缓冲区溢出(2)和(1)lprintf cprintf sysdep。c Citadel / UX 5.90和更早的允许远程攻击者可能导致拒绝服务(崩溃)和执行任意代码通过攻击如长直升机命令到SMTP服务器。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0432 3供应商确认:是的更新日志内容决定:SF-LOC, SF-EXEC抽象:CD: SF-LOC和CD: SF-EXEC建议结合相同类型的问题出现在相同的版本,所以lprintf cprintf溢出相结合。确认:供应商的更新日志,评论修改590.134,约会2002/03/09,应用状态”(Bugtraq海报)提交的一个补丁来解决一个潜在的缓冲区溢出问题lprintf ()。我也做了同样的修复cprintf ()。”投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0443网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0443最终决定:阶段性裁决:修改:建议:20020611分配:20020607类别:科幻参考:BUGTRAQ: 20020307 Windows 2000密码策略绕过可能参考:网址:http://online.securityfocus.com/archive/1/260704参考:XF: win2k-password-bypass-policy(8402)参考:网址:http://www.iss.net/security_center/static/8402.php参考:报价:4256参考:网址:http://www.securityfocus.com/bid/4256微软Windows 2000允许本地用户绕过政策,禁止重复使用旧密码通过改变当前密码到期之前,不允许检查以前的密码。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0443 3供应商确认:投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0444网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0444最终决定:阶段性裁决:修改:建议:20020611分配:20020607类别:科幻参考:BUGTRAQ: 20020408漏洞:Windows2000Server Terminalservices参考:网址:http://www.securityfocus.com/archive/1/266729参考:报价:4464参考:网址:http://www.securityfocus.com/bid/4464参考:XF: win2k-terminal-bypass-policies(8813)参考:网址:http://www.iss.net/security_center/static/8813.phpMicrosoft Windows 2000终端服务器运行90天的试用版,可能还有其他版本,不适用政策传入的用户组当SYSVOL共享的连接数超过最大,如最大数量的许可证,允许远程经过身份验证的用户绕过集团政策。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0444 3供应商确认:投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0447网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0447最终决定:阶段性裁决:修改:建议:20020611分配:20020607类别:科幻参考:BUGTRAQ: 20020308 xerver - 2.10 -文件- disclousure&dos攻击参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-03/0091.html参考:BUGTRAQ: 20020312 Xerver免费Web Server 2.10文件披露和DoS补丁(更新版)参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-03/0155.html参考:XF: xerver-dot-directory-traversal(8421)参考:网址:http://www.iss.net/security_center/static/8421.php参考:报价:4255参考:网址:http://www.securityfocus.com/bid/4255目录遍历脆弱性Xerver免费Web Server 2.10和更早的允许远程攻击者任意目录列表通过. .(点点)在一个HTTP GET请求。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0447 3供应商确认:是的后续内容决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0448网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0448最终决定:阶段性裁决:修改:建议:20020611分配:20020607类别:科幻参考:BUGTRAQ: 20020308 xerver - 2.10 -文件- disclousure&dos攻击参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-03/0091.html参考:BUGTRAQ: 20020312 Xerver免费Web Server 2.10文件披露和DoS补丁(更新版)参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-03/0155.html参考:XF: xerver-multiple-request-dos(8419)参考:网址:http://www.iss.net/security_center/static/8419.php参考:报价:4254参考:网址:http://www.securityfocus.com/bid/4254Xerver免费Web Server 2.10和更早的允许远程攻击者造成拒绝服务(崩溃)通过一个HTTP请求包含许多“C: / "序列。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0448 3供应商确认:是的后续内容决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0449网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0449最终决定:阶段性裁决:修改:建议:20020611分配:20020607类别:科幻参考:BUGTRAQ: 20020305 Talentsoft缓冲区溢出的Web + (# NISR01032002A)参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101535141925150&w=2参考:确认:http://www.talentsoft.com/Issues/IssueDetail.wml?ID=WP943参考:报价:4233参考:网址:http://www.securityfocus.com/bid/4233参考:XF: webplus-webpsvc-bo(8361)参考:网址:http://www.iss.net/security_center/static/8361.php在webpsvc缓冲区溢出。exe Talentsoft Web + 5.0和更早的允许远程攻击者通过webplus长参数执行任意代码。exe程序,在webpsvc.exe触发溢出。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0449 3供应商确认:是的内容决定:SF-LOC承认:知识库文章在供应商网站上说:“安全问题:一个超级长url可以导致web +服务器崩溃,一个未经检查的缓冲区溢出。攻击者可以用它来伤害你的系统。”ABSTRACTION: CD:SF-LOC suggests that if 2 vulnerabilities of the same type appear in the same product, then they should be SPLIT if they appear in different versions. Since the webpsvc.exe overflow was fixed, followed by a new patch for the WML issue, these should remain SPLIT. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0450 URL:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0450最终决定:阶段性裁决:修改:建议:20020611分配:20020607类别:科幻参考:BUGTRAQ: 20020313第二缓冲区溢出Talentsoft Web + (# NISR13032002)参考:网址:http://www.securityfocus.com/archive/1/261658参考:确认:http://www.talentsoft.com/Issues/IssueDetail.wml?ID=WP943参考:报价:4282参考:网址:http://www.securityfocus.com/bid/4282早些时候在Talentsoft Web + 5.0和缓冲区溢出允许远程攻击者执行任意代码通过一个长Web标记语言(wml)文件名称(1)webplus。dll或(2)webplus.exe。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0450 3供应商确认:是的内容决定:SF-LOC承认:知识库文章在供应商网站上说:“安全问题:一个超级长url可以导致web +服务器崩溃,一个未经检查的缓冲区溢出。攻击者可以用它来伤害你的系统。”ABSTRACTION: CD:SF-LOC suggests that if 2 vulnerabilities of the same type appear in the same product, then they should be SPLIT if they appear in different versions. Since there was a period of time when the webpsvc.exe overflow was fixed, but the WML was not, these should remain SPLIT. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0502 URL:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0502最终决定:阶段性裁决:修改:建议:20020611分配:20020607类别:科幻参考:BUGTRAQ: 20020123 RE: Citrix NFuse 1.6参考:网址:http://www.securityfocus.com/archive/1/251923参考:BUGTRAQ: 20020122 Citrix NFuse 1.6参考:网址:http://www.securityfocus.com/archive/1/251737参考:XF: nfuse-applist-information-disclosure(7984)参考:网址:http://xforce.iss.net/static/7984.php参考:报价:3926参考:网址:http://www.securityfocus.com/bid/3926Citrix NFuse 1.6可能允许远程攻击者没有认证通过访问applist列表应用程序。asp页面。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0502 3供应商确认:没有争议包含:后续的文章表明,原始报告可能是错误的,而最初的揭露者可能已经有他们的浏览器中启用会话cookie。如果是这样的话,那么就不是一个问题在Nfuse本身,所以也许这个项目应该排除在CVE。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0559网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0559最终决定:阶段性裁决:修改:建议:20020611分配:20020607类别:科幻参考:BUGTRAQ: 20020206多个缓冲区溢出在Oracle 9 ias参考:网址:http://online.securityfocus.com/archive/1/254426参考:CERT: ca - 2002 - 08年参考:网址:http://www.cert.org/advisories/ca - 2002 - 08. - html参考:CERT-VN: VU # 750299参考:网址:http://www.kb.cert.org/vuls/id/750299参考:CERT-VN: VU # 878603参考:网址:http://www.kb.cert.org/vuls/id/878603参考:CERT-VN: VU # 659043参考:网址:http://www.kb.cert.org/vuls/id/659043参考:CERT-VN: VU # 313280参考:网址:http://www.kb.cert.org/vuls/id/313280参考:CERT-VN: VU # 923395参考:网址:http://www.kb.cert.org/vuls/id/923395参考:确认:http://otn.oracle.com/deploy/security/pdf/ias_modplsql_alert.pdf参考:MISC:http://www.nextgenss.com/papers/hpoas.pdf参考:XF: oracle-appserver-plsql-adddad-bo(8098)参考:网址:http://xforce.iss.net/static/8098.php参考:XF: oracle-appserver-plsql-bo(8095)参考:网址:http://xforce.iss.net/static/8095.php参考:XF: oracle-appserver-plsql-cache-bo(8097)参考:网址:http://xforce.iss.net/static/8097.php参考:XF: oracle-appserver-plsql-authclient-bo(8096)参考:网址:http://xforce.iss.net/static/8096.php参考:报价:4032参考:网址:http://www.securityfocus.com/bid/4032缓冲区溢出在PL / SQL模块3.0.9.8.2 1.0.2 Oracle 9 i应用服务器。x允许远程攻击者造成拒绝服务或通过(1)执行任意代码很长没有dadname帮助页面请求,它溢出的HTTP头位置,(2)一个HTTP请求到plsql模块,(3)在HTTP授权密码,(4)长访问addadd中的描述符(爸爸)密码形式,或(5)很长一段缓存目录名称。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0559 3供应商确认:对咨询内容的决定:SF-LOC抽象:CD: SF-LOC表明合并相同类型的问题出现在相同的版本。所有这些问题都是固定在同一版本,所以他们的总和。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0560网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0560最终决定:阶段性裁决:修改:建议:20020611分配:20020607类别:科幻参考:BUGTRAQ: 20020206 Hackproofing Oracle应用服务器论文参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101301813117562&w=2参考:MISC:http://www.nextgenss.com/papers/hpoas.pdf参考:CERT: ca - 2002 - 08年参考:网址:http://www.cert.org/advisories/ca - 2002 - 08. - html参考:CERT-VN: VU # 307835参考:网址:http://www.kb.cert.org/vuls/id/307835参考:确认:http://otn.oracle.com/deploy/security/pdf/ias_modplsql_alert.pdf参考:报价:4294参考:网址:http://www.securityfocus.com/bid/4294PL / SQL模块3.0.9.8.2 1.0.2 Oracle 9 i应用服务器。x允许远程攻击者获取敏感信息通过(1)OWA_UTIL OWA_UTIL存储过程。签名,(2)OWA_UTIL。listprint,或(3)OWA_UTIL.show_query_columns。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0560 3供应商确认:对咨询内容的决定:SF-LOC抽象:CD: SF-LOC表明合并相同类型的问题出现在相同的版本。所有这些问题都是固定在同一版本,所以他们的总和。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0561网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0561最终决定:阶段性裁决:修改:建议:20020611分配:20020607类别:科幻参考:BUGTRAQ: 20020206 Hackproofing Oracle应用服务器论文参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101301813117562&w=2参考:CERT-VN: VU # 611776参考:网址:http://www.kb.cert.org/vuls/id/611776参考:CERT: ca - 2002 - 08年参考:网址:http://www.cert.org/advisories/ca - 2002 - 08. - html参考:确认:http://otn.oracle.com/deploy/security/pdf/ias_modplsql_alert.pdf参考:MISC:http://www.nextgenss.com/papers/hpoas.pdf参考:报价:4292参考:网址:http://www.securityfocus.com/bid/4292PL / SQL的默认配置网关应用服务器web管理界面在Oracle 9 i 1.0.2中。x使用null身份验证,它允许远程攻击者获得特权和爸爸修改设置。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0561 3供应商确认:对咨询内容的决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0562网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0562最终决定:阶段性裁决:修改:建议:20020611分配:20020607类别:科幻参考:BUGTRAQ: 20020206 JSP转换文件访问Oracle 9 ias参考下:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101301440005580&w=2参考:CERT: ca - 2002 - 08年参考:网址:http://www.cert.org/advisories/ca - 2002 - 08. - html参考:CERT-VN: VU # 698467参考:网址:http://www.kb.cert.org/vuls/id/698467参考:确认:http://otn.oracle.com/deploy/security/pdf/ias_modplsql_alert.pdf参考:报价:4034参考:网址:http://www.securityfocus.com/bid/4034的默认配置Oracle 9 i应用服务器1.0.2中。x运行Oracle JSP或SQLJSP存储全局变量。jsa web根下,允许远程攻击者获得敏感信息包括用户名和密码通过直接globals.jsa HTTP请求。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0562 3供应商确认:对咨询内容的决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0563网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0563最终决定:阶段性裁决:修改:建议:20020611分配:20020607类别:CF参考:BUGTRAQ: 20020206 Hackproofing Oracle应用服务器论文参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101301813117562&w=2参考:CERT: ca - 2002 - 08年参考:网址:http://www.cert.org/advisories/ca - 2002 - 08. - html参考:CERT-VN: VU # 168795参考:网址:http://www.kb.cert.org/vuls/id/168795参考:确认:http://otn.oracle.com/deploy/security/pdf/ias_modplsql_alert.pdf参考:MISC:http://www.nextgenss.com/papers/hpoas.pdf参考:报价:4293参考:网址:http://www.securityfocus.com/bid/4293的默认配置Oracle 9 i应用服务器1.0.2中。x允许匿名用户远程访问敏感的服务不需要身份验证,包括动态监测服务。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0563 3供应商确认:对咨询内容的决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0564网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0564最终决定:阶段性裁决:修改:建议:20020611分配:20020607类别:科幻参考:BUGTRAQ: 20020206 Hackproofing Oracle应用服务器论文参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101301813117562&w=2参考:CERT-VN: VU # 193523参考:网址:http://www.kb.cert.org/vuls/id/193523参考:CERT: ca - 2002 - 08年参考:网址:http://www.cert.org/advisories/ca - 2002 - 08. - html参考:确认:http://otn.oracle.com/deploy/security/pdf/ias_modplsql_alert.pdf参考:MISC:http://www.nextgenss.com/papers/hpoas.pdfPL / SQL模块3.0.9.8.2 1.0.2 Oracle 9 i应用服务器。x允许远程攻击者绕过身份验证数据库访问描述符(爸爸)通过修改URL引用另一个爸爸,已经有效身份证件。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0564 3供应商确认:对咨询内容的决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0565网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0565最终决定:阶段性裁决:修改:建议:20020611分配:20020607类别:科幻参考:BUGTRAQ: 20020206 JSP转换文件访问Oracle 9 ias参考下:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101301440005580&w=2参考:CERT: ca - 2002 - 08年参考:网址:http://www.cert.org/advisories/ca - 2002 - 08. - html参考:CERT-VN: VU # 547459参考:网址:http://www.kb.cert.org/vuls/id/547459参考:确认:http://otn.oracle.com/deploy/security/pdf/ias_modplsql_alert.pdf参考:报价:4034参考:网址:http://www.securityfocus.com/bid/4034参考:XF: oracle-appserver-oraclejsp-view-info(8100)参考:网址:http://xforce.iss.net/static/8100.phpOracle 9 ias 1.0.2中。x将JSP文件编译_pages与全局权限下的web根目录,它允许远程攻击者获取敏感信息来自JSP代码,包括用户名和密码,通过直接_pages HTTP请求。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0565 3供应商确认:对咨询内容的决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0566网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0566最终决定:阶段性裁决:修改:建议:20020611分配:20020607类别:科幻参考:BUGTRAQ: 20020206多个缓冲区溢出在Oracle 9 ias参考:CERT-VN: VU # 805915参考:网址:http://www.kb.cert.org/vuls/id/805915参考:CERT: ca - 2002 - 08年参考:网址:http://www.cert.org/advisories/ca - 2002 - 08. - html参考:确认:http://otn.oracle.com/deploy/security/pdf/ias_modplsql_alert.pdf参考:报价:4037参考:网址:http://www.securityfocus.com/bid/4037参考:XF: oracle-appserver-plsql-pls-dos(8099)参考:网址:http://xforce.iss.net/static/8099.phpPL / SQL模块3.0.9.8.2 1.0.2 Oracle 9 i应用服务器。x允许远程攻击者造成拒绝服务(崩溃)通过一个HTTP头没有授权身份验证类型。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0566 3供应商确认:对咨询内容的决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0570网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0570最终决定:阶段性裁决:修改:建议:20020611分配:20020607类别:科幻参考:BUGTRAQ: 20020102漏洞在加密用于linux的循环设备参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-01/0010.html参考:报价:3775参考:网址:http://www.securityfocus.com/bid/3775参考:XF: linux-loop-device-encryption(7769)参考:网址:http://xforce.iss.net/static/7769.php早些时候在Linux内核2.4.10和加密的循环设备不认证加密数据的实体,它允许本地用户修改加密的数据不知道的关键。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0570 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:
- 上一页的日期:(提案)集群misc - 2001 - 004 - 28候选人
- 下一个按日期:(提案)集群最近51 - 90的候选人
- Prev线程:(提案)集群misc - 2001 - 004 - 28候选人
- 下一个线程:(提案)集群最近51 - 90的候选人
- 指数(es):
