(日期:][下一个日期][线程:][线程下][日期索引][线程索引]

(提案)集群最近- 92 - 57的候选人

我最近提出集群——92年由编辑委员会审查和投票。名称:最近- 92描述:候选人宣布4/11/2002与4/30/2002大小:57通过修改这封邮件你可能投票的候选人投票,将它寄回给我,或通过使用CVE投票网站。中列出的候选人优先秩序。优先级1和优先级2的候选人都应对不同层次的供应商确认,所以他们应该易于检查和可以信任的,是真实的问题。如果你发现任何RECENT-XX集群是不完整的对过程中发现的问题相关的时间框架,请发送信息给我,这样候选人可以被指定。——史蒂夫总结的选票使用(“严重程度”的按升序)- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -接受——选民接受候选人提出等待——选民对候选人没有意见修改选民想要改变一些小细节(例如参考/描述)审查-选民正在审查/研究候选人,或需要更多的信息,重塑候选人必须大幅修改,如分割或合并拒绝候选人不是“漏洞”,或重复等。1)请写你的投票在直线上,从“投票:”开始。如果你想添加评论或细节,在投票后将它们添加到线:线。2)如果你看到任何失踪的引用,请提及他们,使他们可以包括在内。在映射引用帮助极大。3)请注意,“修改”被视为一个“接受”当计算选票。 So if you don't have sufficient information for a candidate but you don't want to NOOP, use a REVIEWING. ********** NOTE ********** NOTE ********** NOTE ********** NOTE ********** Please keep in mind that your vote and comments will be recorded and publicly viewable in the mailing list archives or in other formats. ====================================================== Candidate: CAN-2002-0042 URL:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0042最终决定:阶段性裁决:修改:建议:20020611分配:20020116类别:科幻参考:SGI: 20020402 - 01 - p参考:网址:ftp://patches.sgi.com/support/free/security/advisories/20020402-01-P参考:XF: irix-xfs-dos(8839)参考:网址:http://www.iss.net/security_center/static/8839.php参考:报价:4511参考:网址:http://www.securityfocus.com/bid/4511脆弱性在SGI XFS文件系统IRIX 6.5.12允许本地用户造成拒绝服务(挂)通过创建一个文件,由XFS处理不当。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0042 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0538网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0538最终决定:阶段性裁决:修改:建议:20020611分配:20020607类别:科幻参考:BUGTRAQ: 20020415猛禽防火墙FTP反弹脆弱性参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-04/0166.html参考:BUGTRAQ: 20020417 Re:猛禽防火墙FTP反弹脆弱性参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-04/0224.html参考:确认:http://securityresponse.symantec.com/avcenter/security/Content/2002.04.17.html参考:XF: raptor-firewall-ftp-bounce(8847)参考:网址:http://www.iss.net/security_center/static/8847.php参考报价:4522参考:URL: h ttp: / /www.securityfocus.com/bid/4522 FTP代理在赛门铁克猛禽防火墙6.5.3和Enterprise 7.0重写一个FTP服务器的“FTP端口”反应,允许远程攻击者将FTP数据连接重定向到任意端口,“FTP反弹”的一种变体的弱点。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0538 1供应商确认:是的跟踪投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0542网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0542最终决定:阶段性裁决:修改:建议:20020611分配:20020607类别:科幻参考:BUGTRAQ: 20020411当地根妥协openbsd 3.0及以下参考:网址:http://online.securityfocus.com/archive/1/267089参考:BUGTRAQ: 20020411 OpenBSD本地根妥协参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101855467811695&w=2参考:确认:http://www.openbsd.org/errata30.html的邮件参考:XF: openbsd-mail-root-privileges(8818)参考:网址:http://www.iss.net/security_center/static/8818.php参考:报价:4495参考:网址:http://www.securityfocus.com/bid/4495邮件在OpenBSD 2.9和3.0处理波浪号(~)转义字符在消息即使不是在交互模式下,可以允许本地用户通过调用邮件在cron获得根权限。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0542 1供应商确认:是的投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0571网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0571最终决定:阶段性裁决:修改:建议:20020611分配:20020611类别:科幻参考:BUGTRAQ: 20020416 ansi外连接Oracle语法允许访问任何数据参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-04/0175.html参考:CIAC: m - 071参考:网址:http://www.ciac.org/ciac/bulletins/m - 071. shtml参考:确认:http://otn.oracle.com/deploy/security/pdf/sql_joins_alert.pdf参考:XF: oracle-ansi-sql-bypass-acl(8855)参考:网址:http://www.iss.net/security_center/static/8855.php参考:报价:4523参考:网址:http://www.securityfocus.com/bid/4523Oracle数据库服务器Oracle9i 9.0.1。x允许本地用户访问受限制的数据通过一个SQL查询使用ANSI外连接的语法。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0571 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0572网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0572最终决定:阶段性裁决:修改:建议:20020611分配:20020611类别:科幻参考:BUGTRAQ: 20020423欢呼参考:网址:http://online.securityfocus.com/archive/1/269102参考:BUGTRAQ: 20020422松网络咨询:Setuid应用程序执行可能会给当地的根在FreeBSD参考:网址:http://online.securityfocus.com/archive/1/268970参考:VULNWATCH: 20020422 (VULNWATCH)松网络咨询:Setuid应用程序执行可能会给当地的根在FreeBSD参考:网址:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0033.html参考:FREEBSD: FreeBSD-SA-02:23参考:网址:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:23.stdio.asc参考:报价:4568参考:网址:http://www.securityfocus.com/bid/45684.5和更早的FreeBSD,可能其他BSA-based操作系统,允许本地用户写入或读取限制文件通过关闭文件描述符0(标准输入),1(标准输出),或2(标准误差),然后被称为setuid重用过程,旨在对正常文件执行I / O。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0572 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0573网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0573最终决定:阶段性裁决:修改:建议:20020611分配:20020611类别:科幻参考:BUGTRAQ: 20020430 Adivosry +利用远程根洞流行的商业操作系统的默认安装参考:网址:http://online.securityfocus.com/archive/1/270268参考:VULNWATCH: 20020430 [VULNWATCH] Adivosry +利用远程根洞流行的商业操作系统的默认安装参考:网址:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0049.html参考:CERT: ca - 2002 - 10参考:网址:http://www.cert.org/advisories/ca - 2002 - 10. - html参考:CERT-VN: VU # 638099参考:网址:http://www.kb.cert.org/vuls/id/638099参考:XF: solaris-rwall-format-string(8971)参考:网址:http://www.iss.net/security_center/static/8971.php参考:报价:4639参考:网址:http://www.securityfocus.com/bid/4639格式字符串漏洞墙壁上RPC守护进程(rpc.rwalld)通过8为Solaris 2.5.1允许远程攻击者通过在消息格式字符串执行任意代码不正确时提供给syslog功能墙命令不能执行。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0573 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0574网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0574最终决定:阶段性裁决:修改:建议:20020611分配:20020611类别:科幻参考:FREEBSD: FreeBSD-SA-02:21参考:网址:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:21.tcpip.asc参考:报价:4539参考:网址:http://www.securityfocus.com/bid/4539早些时候在FreeBSD 4.5和内存泄漏允许远程攻击者造成拒绝服务(内存耗尽)通过ICMP回应数据包在ip_output引发一个错误()的路由表条目的引用计数不递减,这可以防止条目被删除。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0574 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0575网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0575最终决定:阶段性裁决:修改:建议:20020611分配:20020611类别:科幻参考:BUGTRAQ: 20020426修订OpenSSH安全顾问(adv.token)参考:网址:http://online.securityfocus.com/archive/1/269701参考:BUGTRAQ: 20020429 tslsa - 2002 - 0047 - openssh参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-04/0394.html参考:BUGTRAQ: 20020420 OpenSSH安全顾问(adv.token)参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-04/0298.html参考:火山口:综援- 2002 - 022.2参考:网址:ftp://ftp.caldera.com/pub/security/openlinux/cssa - 2002 022.2.txt参考:报价:4560参考:网址:http://www.securityfocus.com/bid/4560参考:XF: openssh-sshd-kerberos-bo(8896)参考:网址:http://www.iss.net/security_center/static/8896.php缓冲区溢出在OpenSSH 2.9.9 3。x在3.2.1之上,与Kerberos / AFS支持和KerberosTgtPassing或AFSTokenPassing启用,允许远程和本地经过身份验证的用户获得特权。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0575 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0576网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0576最终决定:阶段性裁决:修改:建议:20020611分配:20020611类别:科幻参考:BUGTRAQ:毕马威20020418 - 2002013:Coldfusion路径披露参考:网址:http://online.securityfocus.com/archive/1/268263参考:VULNWATCH: 20020418 [VULNWATCH]毕马威- 2002013:Coldfusion路径披露参考:网址:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0028.html参考:确认:http://www.macromedia.com/v1/handlers/index.cfm?ID=22906参考:报价:4542参考:网址:http://www.securityfocus.com/bid/4542参考:XF: coldfusion-dos-device-path-disclosure(8866)参考:网址:http://www.iss.net/security_center/static/8866.phpColdFusion之前5.0和Windows系统允许远程攻击者决定的绝对路径名.cfm或.dbm文件通过一个HTTP请求包含一个ms - dos设备名称,如NUL泄漏路径名的一条错误消息。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0576 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0598网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0598最终决定:阶段性裁决:修改:建议:20020611分配:20020611类别:科幻参考:BUGTRAQ:毕马威20020419 - 2002014:Foundstone Fscan格式字符串错误引用:网址:http://online.securityfocus.com/archive/1/268581参考:VULNWATCH: 20020419 [VULNWATCH]毕马威- 2002014:Foundstone Fscan格式字符串错误引用:网址:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0030.html参考:确认:http://www.foundstone.com/knowledge/fscan112_advisory.html参考:XF: fscan-banner-format-string(8895)参考:网址:http://www.iss.net/security_center/static/8895.php参考:报价:4549参考:网址:http://www.securityfocus.com/bid/4549格式字符串漏洞在Foundstone FScan 1.12启用了横幅抓住允许远程攻击者通过格式字符串扫描系统上执行任意代码说明符在服务器横幅。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0598 1供应商确认:是的咨询确认:在一个顾问4月24日,2002年,Foundstone州”用FScan横幅通过- b命令行开关选择可能会导致一个问题,如果旗帜从远程主机接收包含c风格的printf格式说明符如百分比符号匹配字符串或数字格式说明符。”投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0599网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0599最终决定:阶段性裁决:修改:建议:20020611分配:20020611类别:科幻参考:BUGTRAQ: 20020428 Blahz-DNS:认证绕过漏洞参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-04/0395.html参考:确认:http://sourceforge.net/project/shownotes.php?release_id=87004参考:报价:4618参考:网址:http://www.securityfocus.com/bid/4618参考:XF: blahzdns-auth-bypass(8951)参考:网址:http://www.iss.net/security_center/static/8951.phpBlahz-DNS 0.2和更早的允许远程攻击者绕过身份验证和修改配置通过直接请求dostuff等CGI程序。php而不是通过登录屏幕。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0599 1供应商确认:是的、确认:0.25补丁说“固定的能力直接绕过登录安全性通过发送命令后端php文件。”投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0601网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0601最终决定:阶段性裁决:修改:建议:20020611分配:20020611类别:科幻参考:国际空间站:20020430远程拒绝服务漏洞RealSecure网络传感器参考:网址:http://www.iss.net/security_center/alerts/advise116.php参考:BUGTRAQ: 20020430国际空间站咨询:远程拒绝服务漏洞在RealSecure网络传感器参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-04/0420.html参考:报价:4649参考:网址:http://www.securityfocus.com/bid/4649ISS RealSecure网络传感器5。通过6.5 x允许远程攻击者造成拒绝服务(崩溃)通过DHCP畸形数据包导致RealSecure废弃一个空指针。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0601 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0610网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0610最终决定:阶段性裁决:修改:建议:20020611分配:20020611类别:科幻参考:CIAC: m - 075参考:网址:http://www.ciac.org/ciac/bulletins/m - 075. shtml参考:惠普:hpsbmp0204 - 014参考:网址:http://online.securityfocus.com/advisories/4082参考:报价:4652参考:网址:http://www.securityfocus.com/bid/4652参考:XF: hp-mpeix-ftp-access(8990)参考:网址:http://www.iss.net/security_center/static/8990.php脆弱性在惠普FTPSRVR MPE / iX 6.0到7.0不正确验证某些FTP命令,它允许攻击者获得特权。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0610 1供应商确认:是的咨询抽象/包含:这个咨询太模糊,知道那是什么类型的漏洞修复,是否这是一个重复的FTP服务器漏洞的其他更详细的报告。然而,CD:模糊的暗示,至少应该被包括在CVE问题。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0613网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0613最终决定:阶段性裁决:修改:建议:20020611分配:20020611类别:科幻参考:BUGTRAQ: 20020428 dnstools:认证绕过漏洞参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-04/0390.html参考:确认:http://www.dnstools.com/dnstools_2.0.1.tar.gz参考:报价:4617参考:网址:http://www.securityfocus.com/bid/4617参考:XF: dnstools-auth-bypass(8948)参考:网址:http://www.iss.net/security_center/static/8948.phpdnstools。php DNSTools 2.0 beta 4和允许远程攻击者绕过身份验证和早些时候获得特权通过设置user_logged_in或user_dnstools_administrator参数。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0613 1供应商确认:是的、确认:更新日志。txt Release 2.0 Beta 5包括一个条目日期为2002-04-27:“固定URL欺骗的重大安全漏洞。不再信任变量is_logged_in或user_dnstools_administrator美元。”投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0539网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0539最终决定:阶段性裁决:修改:建议:20020611分配:20020607类别:科幻参考:BUGTRAQ: 20020415 Demarc PureSecure 1.05可能是其他(用户可以绕过登录)参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-04/0168.html参考:BUGTRAQ: 20020417 Demarc安全更新咨询参考:网址:http://online.securityfocus.com/archive/1/267941参考:XF: puresecure-sql-injection(8854)参考:网址:http://www.iss.net/security_center/static/8854.php参考:报价:4520参考:网址:http://www.securityfocus.com/bid/4520Demarc PureSecure 1.05允许远程攻击者获得管理权限通过SQL注入攻击的会话ID存储在s_key饼干。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0539 2供应商确认:是的跟踪投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0553网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0553最终决定:阶段性裁决:修改:建议:20020611分配:20020607类别:科幻参考:BUGTRAQ: 20020413 SunSop:跨站脚本漏洞参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-04/0154.html参考:XF: sunshop-new-cust-css(8840)参考:网址:http://www.iss.net/security_center/static/8840.php参考:报价:4506参考:网址:http://www.securityfocus.com/bid/4506早些时候在SunShop 2.5和跨站点脚本漏洞允许远程攻击者获得管理权限SunShop注入脚本领域在新客户注册。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0553 2供应商确认:是的领域相符确认:电子邮件查询发送到support@turnkeywebtools.com 6月3日,2002年。响应被在一个小时内,说“一个补丁发布之前,漏洞被释放。如果你升级到2.6,你会没有忧虑。”投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0375网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0375最终决定:阶段性裁决:修改:建议:20020611分配:20020509类别:科幻参考:VULN-DEV: 20020417 Smalls洞5日产品# 1参考:网址:http://marc.theaimsgroup.com/?l=vuln-dev&m=101908986415768&w=2参考:BUGTRAQ: 20020510修复可供Sgdynamo参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=102107488402057&w=2在sgdynamo跨站脚本漏洞。exe Sgdynamo允许远程攻击者通过一个URL执行任意Javascript脚本的HTNAME参数。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0375 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0389网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0389最终决定:阶段性裁决:修改:建议:20020611分配:20020523类别:科幻参考:BUGTRAQ: 20020417邮差/ Pipermail私人邮件列表/本地用户脆弱性参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101902003314968&w=2参考:MISC:http://sourceforge.net/tracker/?func=detail&atid=100103&aid=474616&group_id=103Pipermail邮差商店私人邮件消息与可预见的文件名world-executable目录,它允许本地用户阅读私人邮件列表档案分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0389 3供应商确认:没有争议包含:应对错误报告,供应商说“我不愿意解决这个问题,因为这样的安排对私人档案的网络安全是至关重要的。”投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0518网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0518最终决定:阶段性裁决:修改:建议:20020611分配:20020607类别:科幻参考:FREEBSD: FreeBSD-SA-02:20参考:网址:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:20.syncache.asc参考:XF: bsd-syncache-inpcb-dos(8875)参考:网址:http://www.iss.net/security_center/static/8875.php参考:报价:4524参考:网址:http://www.securityfocus.com/bid/4524SYN缓存(syncache)和SYN cookie (syncookie)早些时候在FreeBSD 4.5和机制允许远程攻击者造成拒绝服务(崩溃)(a)通过一个SYN数据包被接受使用syncookies导致一个空指针引用插座的TCP选项,或(b)通过杀死和重新启动这一进程监听套接字相同,不正确清楚老inpcb指针重新启动。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0518 3供应商确认:对咨询内容的决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0525网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0525最终决定:阶段性裁决:修改:建议:20020611分配:20020607类别:科幻参考:BUGTRAQ: 20020411酒店(国际米兰网新闻)安全问题参考:网址:万博下载包http://archives.neohapsis.com/archives/bugtraq/2002-04/0140.html参考:报价:4501参考:网址:http://www.securityfocus.com/bid/4501参考:XF: inn-rnews-in万博下载包ews-format-string(8834)参考:网址:http://www.iss.net/security_center/static/8834.php格式字符串漏洞(1)inews或(2)rnews客栈2.2.3早些时候,允许万博下载包本地用户和远程恶意NNTP服务器获得特权通过格式字符串说明符NTTP反应。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0525 3供应商确认:内容决定:SF-LOC, SF-EXEC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0526网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0526最终决定:阶段性裁决:修改:建议:20020611分配:20020607类别:科幻参考:BUGTRAQ: 20020411酒店(国际米兰网新闻)安全问题参考:网址:万博下载包http://archives.neohapsis.com/archives/bugtraq/2002-04/0140.html脆弱性(1)或(2)rnews inews客万博下载包栈2.2.3和早些时候,有关不安全的open()调用。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0526 3供应商确认:内容决定:包容包容:大参考暗指“不安全的开放()调用”,但没有提供其他细节。没有提到安全问题的供应商。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0529网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0529最终决定:阶段性裁决:修改:建议:20020611分配:20020607类别:CF参考:BUGTRAQ: 20020414脆弱性在惠普Photosmart /打印机驱动程序Mac OS X(根妥协)参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-04/0169.html参考:报价:4518参考:网址:http://www.securityfocus.com/bid/4518参考:XF: macos-photosmart-weak-permissions(8856)参考:网址:http://www.iss.net/security_center/static/8856.php惠普Photosmart Mac OS X的打印机驱动程序安装和hp_imaging_connectivity hp_imaging_connectivity程序。应用程序与人人可写的目录的权限,允许本地用户获得特权的其他Photosmart用户更换hp_imaging_connectivity特洛伊木马。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0529 3供应商确认:投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0534网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0534最终决定:阶段性裁决:修改:建议:20020611分配:20020607类别:科幻参考:BUGTRAQ: 20020416多个漏洞PostBoard参考:网址:http://online.securityfocus.com/archive/1/267936参考:XF: postboard-bbcode-dos(8883)参考:网址:http://www.iss.net/security_center/static/8883.php参考:报价:4562参考:网址:http://www.securityfocus.com/bid/4562PostBoard 2.0.1和早些时候BBcode允许远程攻击者造成拒绝服务(CPU消耗)和腐败的数据库通过零\ 0字符内(代码)标记。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0534 3供应商确认:内容决定:SF-CODEBASE抽象:CD: SF-CODEBASE表明,如果同样的问题是多个产品,源于相同的代码,那么这个问题应该总和。在这种情况下,同样的问题出现在phpBB和PostBoard。虽然PostBoard问题的揭露者说它看起来像phpBB的代码复制粘贴,没有独立的证据表明,这两种产品有关(例如,没有供应商声明这种效果)。所以,这两个问题已经分裂。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0535网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0535最终决定:阶段性裁决:修改:建议:20020611分配:20020607类别:科幻参考:BUGTRAQ: 20020416多个漏洞PostBoard参考:网址:http://online.securityfocus.com/archive/1/267936参考:报价:4559参考:网址:http://www.securityfocus.com/bid/4559参考:XF: postboard-img-css(8881)参考:网址:http://www.iss.net/security_center/static/8881.php早些时候在PostBoard 2.0.1和跨站点脚本漏洞允许远程攻击者执行脚本和其他用户通过(1)一个[IMG]标签启用BBCode时,或(2)在一个主题标题。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0535 3供应商确认:内容决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0537网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0537最终决定:阶段性裁决:修改:建议:20020611分配:20020607类别:科幻参考:BUGTRAQ: 20020411慢波睡眠Vuln(小但重要的那些使用它。)参考网址:http://archives.neohapsis.com/archives/bugtraq/2002-04/0148.html参考:XF: sws-insecure-admin-page(8849)参考:网址:http://www.iss.net/security_center/static/8849.php参考:报价:4503参考:网址:http://www.securityfocus.com/bid/4503管理。html文件在StepWeb搜索引擎(慢波睡眠)2.5商店密码链接管理器。pl,允许远程攻击者可以访问admin。html文件来获得管理权限慢波睡眠。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0537 3供应商确认:投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0540网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0540最终决定:阶段性裁决:修改:建议:20020611分配:20020607类别:科幻参考:BUGTRAQ: 20020419 Re:北电CVX 1800年代将转储所有本地用户名和密码通过SNMP参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-04/0272.html参考:BUGTRAQ: 20020413 1800年代北电CVX将转储所有本地用户名和密码通过SNMP参考:网址:http://online.securityfocus.com/archive/1/267627参考:XF: nortel-default-snmp-string(8848)参考:网址:http://www.iss.net/security_center/static/8848.php参考:报价:4507参考:网址:http://www.securityfocus.com/bid/4507北电CVX 1800安装一个默认的“公共”社区字符串,它允许远程攻击者读取用户名和密码和修改CVX配置。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0540 3供应商确认:是的后续内容决定:CF-PASS投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0541网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0541最终决定:阶段性裁决:修改:建议:20020611分配:20020607类别:科幻参考:BUGTRAQ: 20020411 iXsecurity.20020328.tivoli_tsm_dsmsvc。参考网址:http://online.securityfocus.com/archive/1/267143参考:BUGTRAQ: 20020411 iXsecurity.20020327.tivoli_tsm_dsmcad。参考网址:http://archives.neohapsis.com/archives/bugtraq/2002-04/0126.html参考:AIXAPAR: IC33211参考:确认:http://www.tivoli.com/support/storage_mgr/flash_httpport.html参考:AIXAPAR: IC33212参考:报价:4500参考:网址:http://www.securityfocus.com/bid/4500参考:报价:4492参考:网址:http://www.securityfocus.com/bid/4492参考:XF: tivoli-storagemanager-client-bo(8817)参考:网址:http://www.iss.net/security_center/static/8817.php参考:XF: tivoli-storagemanager-login-bo(8825)参考:网址:http://www.iss.net/security_center/static/8825.php在Tivoli Storage Manager TSM缓冲区溢出(1)服务器或存储代理3.1到5.1,和(2)TSM客户机接受者服务4.2和5.1,允许远程攻击者可能导致拒绝服务(崩溃)和执行任意代码通过一个HTTP GET请求长1580端口或端口1581。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0541 3供应商确认:对咨询内容的决定:SF-EXEC抽象:CD: SF-EXEC表明如果多个可执行文件在同一个包由同一供应商有相同的问题,那么他们应该合并。客户端和服务器都是TSM一揽子计划的一部分。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0552网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0552最终决定:阶段性裁决:修改:建议:20020611分配:20020607类别:科幻参考:BUGTRAQ:混色聊天服务器引用20020414漏洞:网址:http://archives.neohapsis.com/archives/bugtraq/2002-04/0157.html参考:BUGTRAQ: 20020416混色聊天POC DOS参考:网址:http://online.securityfocus.com/archive/1/267932参考:报价:4510参考:网址:http://www.securityfocus.com/bid/4510参考:XF: melange-chat-config-bo(8845)参考:网址:http://www.iss.net/security_center/static/8845.php参考:XF: melange-chat-yell-bo(8842)参考:网址:http://www.iss.net/security_center/static/8842.php参考:报价:4508参考:网址:http://www.securityfocus.com/bid/4508参考:报价:4509参考:网址:http://www.securityfocus.com/bid/4509参考:XF: melange-chat-filename-bo(8846)参考:网址:http://www.iss.net/security_center/static/8846.php多个缓冲区溢出在混色聊天服务器2.02允许远程或本地攻击者可能导致拒绝服务(崩溃)和执行任意代码通过(1)长/喊命令参数,(2)/etc/melange.排长队conf配置文件,(3)长文件名,或其他攻击。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0552 3供应商确认:内容决定:SF-LOC准确性:/大喊参数可以远程触发,目前尚不清楚是否可以利用其他溢出的用户开始混色以外的任何人。根据Makefile。2.0.2β为服务器的代码,混色二进制没有安装setuid和setgid,和/etc/melange.conf没有安装集团——或者人人可写的。还应该指出的是,揭露者提供了许多补丁,其中一些可能是为远程溢出大参考没有特别提到。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0554网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0554最终决定:阶段性裁决:修改:建议:20020611分配:20020607类别:科幻参考:BUGTRAQ: 20020411 IBM Informix Web DataBlade: SQL注入参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-04/0135.html参考:报价:4496参考:网址:http://www.securityfocus.com/bid/4496参考:XF: informix-wdm-sql-injection(8826)参考:网址:http://www.iss.net/security_center/static/8826.phpwebdriver在Web DataBlade IBM Informix 4.12允许远程攻击者绕过用户访问级别或读取任意文件通过一个HTTP请求的SQL注入攻击。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0554 3供应商确认:投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0555网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0555最终决定:阶段性裁决:修改:建议:20020611分配:20020607类别:科幻参考:BUGTRAQ: 20020411 IBM Informix Web DataBlade: Auto-decoding HTML实体引用:网址:http://archives.neohapsis.com/archives/bugtraq/2002-04/0137.html参考:报价:4498参考:网址:http://www.securityfocus.com/bid/4498参考:XF: informix-wbm-sql-decoding(8827)参考:网址:http://www.iss.net/security_center/static/8827.phpIBM Informix Web DataBlade 4.12将对用户输入应用程序即使逃走了,这可能允许远程攻击者在Web表单中执行SQL代码即使开发人员试图逃避它。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0555 3供应商确认:投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0577网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0577最终决定:阶段性裁决:修改:建议:20020611分配:20020611类别:科幻参考:惠普:hpsbux0204 - 191参考:网址:http://archives.neohapsis.com/archives/hp/2002-q2/0023.html参考:报价:4582参考:网址:http://www.securityfocus.com/bid/4582参考:XF: hpux-passwd-dos(8939)参考:网址:http://www.iss.net/security_center/static/8939.php脆弱性的passwd hp - ux 11.00和11.11允许本地用户腐败密码文件,造成拒绝服务。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0577 3供应商确认:对咨询内容的决定:模糊的投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0579网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0579最终决定:阶段性裁决:修改:建议:20020611分配:20020611类别:科幻参考:BUGTRAQ: 20020419 Xpede许多漏洞参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-04/0273.html参考:报价:4552参考:网址:http://www.securityfocus.com/bid/4552参考:XF: xpede-insecure-admin-scripts(8900)参考:网址:http://www.iss.net/security_center/static/8900.phpWorkforceROI Xpede 4.1允许远程攻击者获得特权作为Xpede管理员通过直接/ admin / adminproc HTTP请求。asp脚本,不提示输入密码。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0579 3供应商确认:内容决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0580网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0580最终决定:阶段性裁决:修改:建议:20020611分配:20020611类别:科幻参考:BUGTRAQ: 20020419 Xpede许多漏洞参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-04/0273.html参考:报价:4553参考:网址:http://www.securityfocus.com/bid/4553参考:XF: xpede-datasource-reveal-account(8902)参考:网址:http://www.iss.net/security_center/static/8902.phpWorkforceROI Xpede 4.1允许远程攻击者通过请求数据源获取数据库用户名。asp,泄漏的用户名的形式,允许攻击者更容易进行暴力破解密码猜测攻击。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0580 3供应商确认:内容决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0581网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0581最终决定:阶段性裁决:修改:建议:20020611分配:20020611类别:科幻参考:BUGTRAQ: 20020419 Xpede许多漏洞参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-04/0273.html参考:报价:4555参考:网址:http://www.securityfocus.com/bid/4555参考:XF: xpede-sprc-sql-injection(8903)参考:网址:http://www.iss.net/security_center/static/8903.phpWorkforceROI Xpede 4.1允许远程攻击者执行任意SQL命令和读取、修改或偷凭证从数据库通过sprc Qry参数。asp脚本。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0581 3供应商确认:内容决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0582网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0582最终决定:阶段性裁决:修改:建议:20020611分配:20020611类别:科幻参考:BUGTRAQ: 20020419 Xpede许多漏洞参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-04/0273.html参考:报价:4554参考:网址:http://www.securityfocus.com/bid/4554参考:XF: xpede-expense-directory-permissions(8905)参考:网址:http://www.iss.net/security_center/static/8905.phpWorkforceROI Xpede 4.1临时费用索赔报告存储在全局和可转位/报告/临时目录,它允许远程攻击者读取报告通过访问目录。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0582 3供应商确认:内容决定:SF-LOC抽象:CD: SF-LOC建议将不同类型的项目。如果“可转位和可读/报告/临时”问题是固定的,系统仍将很容易受到“蛮力猜测”攻击。所以,这些问题被视为单独的项目,即使他们是密切相关的。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0583网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0583最终决定:阶段性裁决:修改:建议:20020611分配:20020611类别:科幻参考:BUGTRAQ: 20020419 Xpede许多漏洞参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-04/0273.html参考:报价:4554参考:网址:http://www.securityfocus.com/bid/4554参考:XF: xpede-expense-directory-permissions(8905)参考:网址:http://www.iss.net/security_center/static/8905.phpWorkforceROI Xpede 4.1使用一个小随机名称空间(5字母数字字符)的临时费用索赔报告/报告/临时目录,它允许远程攻击者通过蛮力攻击阅读这些报告。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0583 3供应商确认:内容决定:SF-LOC抽象:CD: SF-LOC建议将不同类型的项目。如果“可转位和可读/报告/临时”问题是固定的,系统仍将很容易受到“蛮力猜测”攻击。所以,这些问题被视为单独的项目,即使他们是密切相关的。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0584网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0584最终决定:阶段性裁决:修改:建议:20020611分配:20020611类别:科幻参考:BUGTRAQ: 20020419 Xpede许多漏洞参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-04/0273.html参考:报价:4556参考:网址:http://www.securityfocus.com/bid/4556参考:XF: xpede-timesheet-disclosure(8907)参考:网址:http://www.iss.net/security_center/static/8907.phpWorkforceROI Xpede 4.1允许远程攻击者读取用户时间表通过修改听ts_app_process ID参数。asp脚本,它很容易可猜测的因为它是增加了1每一个新的时间表。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0584 3供应商确认:内容决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0586网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0586最终决定:阶段性裁决:修改:建议:20020611分配:20020611类别:科幻参考:BUGTRAQ: 20020416 [CERT-intexxia] AOLServer DB代理守护进程格式字符串漏洞参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-04/0195.html参考:确认:http://sourceforge.net/tracker/index.php?func=detail&aid=533141&group_id=3152&atid=303152参考:报价:4535参考:网址:http://www.securityfocus.com/bid/4535参考:XF: aolserver-dbproxy-format-string(8860)参考:网址:http://www.iss.net/security_center/static/8860.php格式字符串漏洞Ns_PdLog函数外部数据库驱动程序代理守护程序库(libnspd.a)通过3.4.2 AOLServer 3.0允许远程攻击者通过错误或通知参数执行任意代码。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0586 3供应商确认:是的内容决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0587网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0587最终决定:阶段性裁决:修改:建议:20020611分配:20020611类别:科幻参考:BUGTRAQ: 20020416 [CERT-intexxia] AOLServer DB代理守护进程格式字符串漏洞参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-04/0195.html参考:确认:http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/aolserver/aolserver/nspd/log.c.diff?r1=1.4&r2=1.4.6.1参考:确认:http://sourceforge.net/tracker/index.php?func=detail&aid=533141&group_id=3152&atid=303152缓冲区溢出Ns_PdLog函数外部数据库驱动程序代理守护程序库(libnspd.a)通过3.4.2 AOLServer 3.0允许远程攻击者造成拒绝服务或通过错误或通知参数执行任意代码。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0587 3供应商确认:是的内容决定:SF-LOC包含:原始的海报具体国家,他们发现“一个格式字符串和一个缓冲区溢出漏洞。”The patch to log.c clearly indicates a fix for an overflow (vsprintf changed to vsnprintf). Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0588 URL:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0588最终决定:阶段性裁决:修改:建议:20020611分配:20020611类别:科幻参考:BUGTRAQ: 20020418 [[026 TH公司]]SA # 1 -多个漏洞PVote 1.5参考:网址:http://online.securityfocus.com/archive/1/268231参考:确认:http://orbit-net.net: 8001 / php / pvote /参考:XF: pvote-add-delete-polls(8877)参考:网址:http://www.iss.net/security_center/static/8877.php参考:报价:4540参考:网址:http://www.securityfocus.com/bid/4540PVote之前1.9不验证用户限制操作,远程攻击者可以添加或删除投票通过修改参数(1)或(2)del.php . php。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0588 3供应商确认:是的更新日志内容决定:SF-EXEC确认:1.9包含一个项目的更改日志日期为周四,2002年4月18日,“重大安全修正由于[Bugtraq海报。]" Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0589 URL:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0589最终决定:阶段性裁决:修改:建议:20020611分配:20020611类别:科幻参考:BUGTRAQ: 20020418 [[026 TH公司]]SA # 1 -多个漏洞PVote 1.5参考:网址:http://online.securityfocus.com/archive/1/268231参考:确认:http://orbit-net.net: 8001 / php / pvote /参考:XF: pvote-change-admin-password(8878)参考:网址:http://www.iss.net/security_center/static/8878.php参考:报价:4541参考:网址:http://www.securityfocus.com/bid/4541PVote之前1.9允许远程攻击者修改管理密码,直接调用ch_info获得特权。php和newpass确认参数设置新密码。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0589 3供应商确认:是的更新日志内容决定:SF-EXEC确认:1.9包含一个项目的更改日志日期为周四,2002年4月18日,“重大安全修正由于[Bugtraq海报。]" Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0590 URL:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0590最终决定:阶段性裁决:修改:建议:20020611分配:20020611类别:科幻参考:BUGTRAQ: 20020419 [[026 TH公司]]SA 1.1 # 2 - IcrediBB,跨站脚本漏洞。参考网址:http://archives.neohapsis.com/archives/bugtraq/2002-04/0263.html参考:报价:4548参考:网址:http://www.securityfocus.com/bid/4548参考:XF: incredibb-html-css(8879)参考:网址:http://www.iss.net/security_center/static/8879.php跨站点脚本(CSS)脆弱性IcrediBB 1.1 Beta允许远程攻击者执行任意脚本和窃取cookie其他IcrediBB用户通过标题(1)或(2)的职位。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0590 3供应商确认:内容决定:EX-BETA投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0591网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0591最终决定:阶段性裁决:修改:建议:20020611分配:20020611类别:科幻参考:BUGTRAQ: 20020416目的的直接连接的功能可能会导致任意文件创建参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-04/0203.html参考:报价:4526参考:网址:http://www.securityfocus.com/bid/4526参考:XF: aim-direct-connection-files(8870)参考:网址:http://www.iss.net/security_center/static/8870.php目录遍历脆弱性AOL的即时通讯(AIM) 4.8 beta早些时候,允许远程攻击者创建任意文件和执行命令通过直接连接一个IMG标记的SRC属性指定了目标文件名。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0591 3供应商确认:投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0592网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0592最终决定:阶段性裁决:修改:建议:20020611分配:20020611类别:科幻参考:BUGTRAQ: 20020421目的远程文件传输/直接连接漏洞参考:网址:http://online.securityfocus.com/archive/1/269006参考:报价:4574参考:网址:http://www.securityfocus.com/bid/4574AOL的即时通讯(AIM)允许远程攻击者窃取文件被转移到其他客户端连接到端口4443(直接连接)或端口5190(文件传输)之前预期的用户。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0592 3供应商确认:投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0593网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0593最终决定:阶段性裁决:修改:建议:20020611分配:20020611类别:科幻参考:BUGTRAQ: 20020430 RE:读取本地文件在Netscape 6和Mozilla (GM # 001 - ns)参考:网址:http://online.securityfocus.com/archive/1/270249参考:CONECTIVA: CLA-2002:490参考:网址:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000490参考:报价:4637参考:网址:http://www.securityfocus.com/bid/4637缓冲区溢出早些时候在Netscape 6和Mozilla 1.0 RC1和允许远程攻击者可能导致拒绝服务(崩溃)和执行任意代码通过一个长在IRC频道的名字URI。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0593 3供应商确认:对咨询内容的决定:EX-CLIENT-DOS抽象:Bugtraq海报所示的问题可能是由于其他比一个可利用的溢出。如果错误导致客户端崩溃,然后CD: EX-CLIENT-DOS表明它不应该被包括在CVE。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0594网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0594最终决定:阶段性裁决:修改:建议:20020611分配:20020611类别:科幻参考:BUGTRAQ: 20020430 RE:读取本地文件在Netscape 6和Mozilla (GM # 001 - ns)参考:网址:http://online.securityfocus.com/archive/1/270249参考:CONECTIVA: CLA-2002:490参考:网址:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000490参考:报价:4640参考:网址:http://www.securityfocus.com/bid/4640Netscape 6和Mozilla 1.0 RC1和允许远程攻击者决定早些时候的存在客户端系统上的文件通过一个LINK元素的层叠样式表(CSS)导致HTTP重定向页面。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0594 3供应商确认:对咨询内容的决定:EX-CLIENT-DOS抽象:Bugtraq海报所示的问题可能是由于其他比一个可利用的溢出。如果错误导致客户端崩溃,然后CD: EX-CLIENT-DOS表明它不应该被包括在CVE。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0595网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0595最终决定:阶段性裁决:修改:建议:20020611分配:20020611类别:科幻参考:BUGTRAQ: 20020416 Webtrends举报中心缓冲区溢出(# NISR17042002C)参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-04/0207.html参考:XF: webtrends-long-string-bo(8864)参考:网址:http://www.iss.net/security_center/static/8864.php参考:报价:4531参考:网址:http://www.securityfocus.com/bid/4531在WTRS_UI缓冲区溢出。EXE (WTX_REMOTE.DLL) WebTrends举报中心4.0 d允许远程攻击者通过长HTTP GET请求来执行任意代码/报告/目录中。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0595 3供应商确认:未知discloser-claimed投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0596网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0596最终决定:阶段性裁决:修改:建议:20020611分配:20020611类别:科幻参考:BUGTRAQ: 20020416 Webtrends举报中心缓冲区溢出(# NISR17042002C)参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-04/0207.html参考:XF: webtrends-profile-path-disclosure(8865)参考:网址:http://www.iss.net/security_center/static/8865.phpWebTrends举报中心4.0 d允许远程攻击者确定的realt路径get_od_toc web服务器通过一个GET请求。pl与空剖面参数,泄漏路径名的错误消息。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0596 3供应商确认:未知discloser-claimed投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0597网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0597最终决定:阶段性裁决:修改:建议:20020611分配:20020611类别:科幻参考:BUGTRAQ:毕马威20020417 - 2002011:Windows 2000 microsoft-ds拒绝服务引用:网址:http://online.securityfocus.com/archive/1/268066参考:VULNWATCH: 20020417 [VULNWATCH]毕马威- 2002011:Windows 2000 microsoft-ds拒绝服务引用:网址:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0025.html参考:XF: win2k-lanman-dos(8867)参考:网址:http://www.iss.net/security_center/static/8867.php参考:报价:4532参考:网址:http://www.securityfocus.com/bid/4532LANMAN服务Microsoft Windows 2000允许远程攻击者造成拒绝服务(CPU /内存耗尽)通过一连串的畸形数据microsoft-ds端口445。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0597 3供应商确认:未知discloser-claimed确认:大量的数据资料显示,KB文章Q320751解决了这个问题,但它不能被发现在微软网站上的20020610。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0600网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0600最终决定:阶段性裁决:修改:建议:20020611分配:20020611类别:科幻参考:BUGTRAQ: 20020424 Kerberos4 ftp客户端中的缺陷可能导致堆溢出导致远程代码执行参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-04/0339.html参考:XF: kerberos4-ftp-client-overflow(8938)参考:网址:http://www.iss.net/security_center/static/8938.php参考:报价:4592参考:网址:http://online.securityfocus.com/bid/4592堆溢出在Kerberos 4 k的FTP客户端4-1.1.1允许远程恶意服务器执行任意代码在客户端通过一个长响应被动(PASV)模式的要求。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0600 3供应商确认:投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0606网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0606最终决定:阶段性裁决:修改:建议:20020611分配:20020611类别:科幻参考:BUGTRAQ: 20020429 3 cdaemon DoS利用参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-04/0428.html参考:报价:4638参考:网址:http://www.securityfocus.com/bid/4638参考:XF: 3 cdaemon-ftp-bo(8970)参考:网址:http://www.iss.net/security_center/static/8970.php缓冲区溢位3 cdaemon 2.0 FTP服务器允许远程攻击者可能导致拒绝服务(崩溃)和登录等通过长命令执行任意代码。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0606 3供应商确认:投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0607网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0607最终决定:阶段性裁决:修改:建议:20020611分配:20020611类别:科幻参考:BUGTRAQ: 2000 Snitz论坛20020419远程SQL查询操作漏洞参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-04/0279.html参考:确认:http://forum.snitz.com/forum/topic.asp?TOPIC_ID=26770参考:XF: snitz-members-sql-injection(8898)参考:网址:http://www.iss.net/security_center/static/8898.php参考:报价:4558参考:网址:http://www.securityfocus.com/bid/4558成员。asp Snitz论坛2000年3.3.03和更早的版本上,允许远程攻击者执行任意代码通过SQL注入攻击的参数(1)M_NAME,(2)用户名,(3)FirstName、LastName(4)或(5)原价。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0607 3供应商确认:是的内容决定:SF-LOC ACKNPOWLEDGEMENT:在一个网络安全论坛,供应商包括一个项目4月23日,2002年国家”有一个安全漏洞。asp”,提供一个补丁显然处理清算SQL注入攻击。准确性:参数除了M_NAME推断从供应商补丁。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0608网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0608最终决定:阶段性裁决:修改:建议:20020611分配:20020611类别:科幻参考:BUGTRAQ: 20020422 Matu FTP远程缓冲区溢出漏洞参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-04/0310.html参考:XF: matu-ftp-long-string-bo(8911)参考:网址:http://www.iss.net/security_center/static/8911.php参考:报价:4572参考:网址:http://www.securityfocus.com/bid/4572缓冲区溢出Matu FTP客户端1.74允许远程FTP服务器执行任意代码通过一个长“220”横幅。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0608 3供应商确认:未知的外国投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0609网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0609最终决定:阶段性裁决:修改:建议:20020611分配:20020611类别:科幻参考:惠普:hpsbmp0204 - 013参考:网址:http://online.securityfocus.com/advisories/4047参考:XF: hp-mpeix-ip-dos(8901)参考:网址:http://www.iss.net/security_center/static/8901.php参考:报价:4536参考:网址:http://www.securityfocus.com/bid/4536脆弱性在惠普MPE / iX 6.0 7.0允许攻击者造成拒绝服务(系统故障”SA1457 i_port_timeout.fix_up_message_frame”)通过畸形IP数据包。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0609 3供应商确认:对咨询内容的决定:模糊的投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0611网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0611最终决定:阶段性裁决:修改:建议:20020611分配:20020611类别:科幻参考:VULN-DEV: 20020416 FileSeek cgi脚本咨询参考:网址:http://archives.neohapsis.com/archives/vuln-dev/2002-q2/0132.html参考:XF: fileseek-cgi-directory-traversal(8858)参考:网址:http://www.iss.net/security_center/static/8858.php目录遍历FileSeek脆弱性。cgi允许远程攻击者通过....读取任意文件/ /(修改点点)(1)或(2)脚参数,不适当的过滤。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0611 3供应商确认:内容决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0612网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0612最终决定:阶段性裁决:修改:建议:20020611分配:20020611类别:科幻参考:VULN-DEV: 20020416 FileSeek cgi脚本咨询参考:网址:http://archives.neohapsis.com/archives/vuln-dev/2002-q2/0132.html参考:XF: fileseek-cgi-command-execution(8857)参考:网址:http://www.iss.net/security_center/static/8857.phpFileSeek。cgi允许远程攻击者执行任意命令通过shell元字符(1)或(2)脚参数。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0612 3供应商确认:内容决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0614网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0614最终决定:阶段性裁决:修改:建议:20020611分配:20020611类别:科幻参考:BUGTRAQ: 20020426 PHP-Survey数据库访问漏洞参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-04/0383.html参考:报价:4612参考:网址:http://www.securityfocus.com/bid/4612参考:XF: phpsurvey-global-reveal-info(8950)参考:网址:http://www.iss.net/security_center/static/8950.phpPHP-Survey 20000615和早些时候商店全球。公司文件在web根,它允许远程攻击者获取敏感信息,包括数据库证书,如果没有预处理. inc文件服务器。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0614 3供应商确认:投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:
页面最后更新或审查:2007年5月22日,