(提案)集群最近- 99 - 37的候选人

我最近提出集群——99年由编辑委员会审查和投票。名称:最近- 99描述:罐宣布2002/06/01与2002/06/11大小:37通过修改这封邮件你可能投票的候选人投票,将它寄回给我,或通过使用CVE投票网站。中列出的候选人优先秩序。优先级1和优先级2的候选人都应对不同层次的供应商确认,所以他们应该易于检查和可以信任的,是真实的问题。如果你发现任何RECENT-XX集群是不完整的对过程中发现的问题相关的时间框架,请发送信息给我,这样候选人可以被指定。——史蒂夫总结的选票使用(“严重程度”的按升序)- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -接受——选民接受候选人提出等待——选民对候选人没有意见修改选民想要改变一些小细节(例如参考/描述)审查-选民正在审查/研究候选人,或需要更多的信息,重塑候选人必须大幅修改,如分割或合并拒绝候选人不是“漏洞”,或重复等。1)请写你的投票在直线上,从“投票:”开始。如果你想添加评论或细节,在投票后将它们添加到线:线。2)如果你看到任何失踪的引用,请提及他们,使他们可以包括在内。在映射引用帮助极大。3)请注意,“修改”被视为一个“接受”当计算选票。 So if you don't have sufficient information for a candidate but you don't want to NOOP, use a REVIEWING. ********** NOTE ********** NOTE ********** NOTE ********** NOTE ********** Please keep in mind that your vote and comments will be recorded and publicly viewable in the mailing list archives or in other formats. ====================================================== Candidate: CAN-2002-0804 URL:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0804最终决定:阶段性裁决:修改:建议:20020830分配:20020729类别:科幻参考:BUGTRAQ: 20020608 (BUGZILLA)安全顾问为2.14版本的BUGZILLA 2.14.2之前,2.16之前2.16 rc2参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-06/0054.html参考:确认:http://bugzilla.mozilla.org/show_bug.cgi?id=129466参考:REDHAT: RHSA-2002:109参考:报价:4964参考:网址:http://online.securityfocus.com/bid/49642.14.2之前Bugzilla 2.14, 2.16之前2.16 rc2,当配置为执行反向DNS查找,允许远程攻击者绕过IP限制通过连接从一个系统欺骗反向DNS主机名。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0804 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0805网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0805最终决定:阶段性裁决:修改:建议:20020830分配:20020729类别:科幻参考:BUGTRAQ: 20020608 (BUGZILLA)安全顾问为2.14版本的BUGZILLA 2.14.2之前,和2.16之前2.16 rc2参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-06/0054.html参考:确认:http://bugzilla.mozilla.org/show_bug.cgi?id=134575参考:REDHAT: RHSA-2002:109参考:报价:4964参考:网址:http://online.securityfocus.com/bid/49642.14.2之前Bugzilla 2.14, 2.16之前2.16 rc2,(1)创建新的目录,人人可写的权限,和(2)创建参数文件,人人可写的权限,它允许本地用户修改文件和执行代码。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0805 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0806网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0806最终决定:阶段性裁决:修改:建议:20020830分配:20020729类别:科幻参考:BUGTRAQ: 20020608 (BUGZILLA)安全顾问为2.14版本的BUGZILLA 2.14.2之前,和2.16之前2.16 rc2参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-06/0054.html参考:确认:http://bugzilla.mozilla.org/show_bug.cgi?id=141557参考:REDHAT: RHSA-2002:109参考:报价:4964参考:网址:http://online.securityfocus.com/bid/49642.14.2之前Bugzilla 2.14, 2.16之前2.16 rc2,允许经过身份验证的用户具有编辑权限删除其他用户通过直接调用editusers。cgi脚本“▽”选项。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0806 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0808网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0808最终决定:阶段性裁决:修改:建议:20020830分配:20020729类别:科幻参考:BUGTRAQ: 20020608 (BUGZILLA)安全顾问为2.14版本的BUGZILLA 2.14.2之前,和2.16之前2.16 rc2参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-06/0054.html参考:确认:http://bugzilla.mozilla.org/show_bug.cgi?id=107718参考:REDHAT: RHSA-2002:109参考:报价:4964参考:网址:http://online.securityfocus.com/bid/49642.14.2之前Bugzilla 2.14, 2.16之前2.16 rc2,当执行一个大规模的变化,集所有bug的groupset groupset的第一个错误,可能无意中导致不安全的groupset权限分配给一些bug。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0808 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0809网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0809最终决定:阶段性裁决:修改:建议:20020830分配:20020729类别:科幻参考:BUGTRAQ: 20020608 (BUGZILLA)安全顾问为2.14版本的BUGZILLA 2.14.2之前,和2.16之前2.16 rc2参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-06/0054.html参考:确认:http://bugzilla.mozilla.org/show_bug.cgi?id=148674参考:REDHAT: RHSA-2002:109参考:报价:4964参考:网址:http://online.securityfocus.com/bid/49642.14.2之前Bugzilla 2.14, 2.16之前2.16 rc2,不妥善处理url编码字段名称生成一些浏览器,这可能导致某些领域似乎设置,已删除组权限的影响当buglist bug。cgi提供编码字段名称。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0809 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0810网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0810最终决定:阶段性裁决:修改:建议:20020830分配:20020729类别:科幻参考:BUGTRAQ: 20020608 (BUGZILLA)安全顾问为2.14版本的BUGZILLA 2.14.2之前,和2.16之前2.16 rc2参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-06/0054.html参考:确认:http://bugzilla.mozilla.org/show_bug.cgi?id=92263参考:REDHAT: RHSA-2002:109参考:报价:4964参考:网址:http://online.securityfocus.com/bid/49642.14.2之前Bugzilla 2.14, 2.16之前2.16 rc2,指导错误消息从syncshadowdb命令HTML输出,这可能泄漏敏感信息,包括明文密码,如果syncshadowdb失败。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0810 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0911网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0911最终决定:阶段性裁决:修改:建议:20020830分配:20020816类别:科幻参考:火山口:综援- 2002 - 024.0参考:网址:ftp://ftp.caldera.com/pub/security/openlinux/cssa - 2002 024.0.txt参考:报价:4923参考:网址:http://www.securityfocus.com/bid/4923参考:XF: volution-manager-plaintext-password(9240)参考:网址:http://www.iss.net/security_center/static/9240.php火山口涡旋经理1.1存储在slapd目录管理员密码明文。配置文件,允许本地用户获得特权。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0911 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0914网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0914最终决定:阶段性裁决:修改:建议:20020830分配:20020816类别:科幻参考:BUGTRAQ: 20020601安全。NNOV:快递CPU疲惫+奖金imap-uw参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-05/0295.html参考:确认:http://sourceforge.net/project/shownotes.php?release_id=93065参考:报价:4908参考:网址:http://www.securityfocus.com/bid/4908参考:XF: courier-mta-year-dos(9228)参考:网址:http://www.iss.net/security_center/static/9228.php双精度快递邮件MTA允许远程攻击者造成拒绝服务(CPU消耗)通过消息或负极大值,导致一个紧密的循环。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0914 1供应商确认:是的、确认:变更日期为2002-05-20“rfc822_parsedt包含一个项目。c (rfc822_parsedt):忽略明显无效的年(别人会担心Y10K)。”投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0916网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0916最终决定:阶段性裁决:修改:建议:20020830分配:20020816类别:科幻参考:VULNWATCH: 20020603 [VULNWATCH] [DER # 11] - Remotey可利用的fmt鱿鱼引用字符串错误:网址:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0087.html参考:BUGTRAQ: 20020604 (DER # 11)——Remotey可利用的fmt鱿鱼引用字符串错误:网址:http://online.securityfocus.com/archive/1/275347参考:确认:http://www.squid-cache.org/Versions/v2/2.4/diff-2.4.STABLE6-2.4.STABLE7.gz参考:报价:4929参考:网址:http://www.securityfocus.com/bid/4929参考:XF: msntauth-squid-format-string(9248)参考:网址:http://www.iss.net/security_center/static/9248.php格式字符串漏洞在allowuser代码Stellar-X msntauth身份验证模块,分布在2.4鱿鱼。STABLE6早些时候,允许远程攻击者执行任意代码通过用户名格式字符串,syslog调用不妥善处理。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0916 1供应商确认:是的diff承认:尽管没有供应商报告,明确提及格式字符串的问题,很明显的差异(和通过电子邮件确认),主要变化是代码,解决格式字符串和缓冲区溢出问题最初报道。应该注意的是,鱿鱼分布是固定的,但原Stellar-X不是(截至7月29日)。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0945网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0945最终决定:阶段性裁决:修改:建议:20020830分配:20020816类别:科幻参考:BUGTRAQ: 20020608 SeaNox Devwex -拒绝服务和目录遍历参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-06/0056.html参考:确认:http://www.seanox.de/projects.devwex.php参考:XF: devwex-get-bo(9298)参考:网址:http://www.iss.net/security_center/static/9298.php参考:报价:4979参考:网址:http://www.securityfocus.com/bid/4979缓冲区溢出在SeaNox Devwex允许远程攻击者可能导致拒绝服务(崩溃)和执行任意代码通过一个HTTP GET请求。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0945 1供应商确认:是的、确认:供应商的“不妨”页面(可以在左边菜单)一个项目开始于6月1日,2002年,哪个州(基于谷歌翻译):”目录处理[是]修改在一个安全的和errortolerant路径处理。带来的Java可能是女士ueberladene[很久了吗?)请求VM(导致)崩溃。”投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0946网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0946最终决定:阶段性裁决:修改:建议:20020830分配:20020816类别:科幻参考:BUGTRAQ: 20020608 SeaNox Devwex -拒绝服务和目录遍历参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-06/0056.html参考:确认:http://www.seanox.de/projects.devwex.php参考:报价:4978参考:网址:http://www.securityfocus.com/bid/4978参考:XF: devwex-dotdot-directory-traversal(9299)参考:网址:http://www.iss.net/security_center/static/9299.php目录遍历脆弱性SeaNox Devwex 1.2002.0601之前允许远程攻击者读取任意文件通过. .\(点点)序列在一个HTTP请求。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0946 1供应商确认:是的、确认:供应商的“不妨”页面(可以在左边菜单)一个项目开始于6月1日,2002年,哪个州(基于谷歌翻译):”目录处理[是]修改在一个安全的和errortolerant路径处理。带来的Java可能是女士ueberladene[很久了吗?)请求VM(导致)崩溃。”投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0958网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0958最终决定:阶段性裁决:修改:建议:20020830分配:20020816类别:科幻参考:BUGTRAQ: 20020606 (ARL02-A12) PHP(反应堆)跨站脚本漏洞参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-06/0034.html参考:确认:http://sourceforge.net/project/shownotes.php?release_id=91877参考:XF: phpreactor-browse-xss(9280)参考:网址:http://www.iss.net/security_center/static/9280.php参考:报价:4952参考:网址:http://www.securityfocus.com/bid/4952跨站点脚本漏洞在浏览。php为php(反应堆)1.2.7允许远程攻击者编写执行脚本和其他用户通过参数在评论部分。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0958 1供应商确认:是的、确认:供应商变更1.2.7p1说“固定2 XSS错误。”A source code diff of inc/global.inc.php in phpreactor-1.2.7 and phpreactor-1.2.7p1 shows that the only change was a call to strip_tags() when setting the $go variable. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0967 URL:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0967最终决定:阶段性裁决:修改:建议:20020830分配:20020816类别:科幻参考:BUGTRAQ: 20020606 eDonkey 2000 ed2k: URL缓冲区溢位参考:网址:http://online.securityfocus.com/archive/1/275708参考:确认:http://www.edonkey2000.com/参考:XF: edonkey2000-ed2k-filename-bo(9278)参考:网址:http://www.iss.net/security_center/static/9278.php参考:报价:4951参考:网址:http://www.securityfocus.com/bid/4951缓冲区溢出2000年eDonkey 35.16.60早些时候,允许远程攻击者可能导致拒绝服务(崩溃)和执行任意代码通过一个长URL“ed2k:”。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0967 1供应商确认:是的、确认:供应商的主页,一个项目日期6.5.02国家”的安全利用windows的GUI客户端已经固定的……由于Shane Hird[通知]指出我们。”投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1051网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1051最终决定:阶段性裁决:修改:建议:20020830分配:20020830类别:科幻参考:BUGTRAQ: 20020606格式字符串错误TrACESroute 6.0黄金参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-06/0040.html参考:BUGTRAQ: 20020721 Nanog traceroute格式字符串利用。参考网址:http://marc.theaimsgroup.com/?l=bugtraq&m=102737546927749&w=2参考:BUGTRAQ: 20020723 Re: Nanog traceroute格式字符串利用。参考网址:http://archives.neohapsis.com/archives/bugtraq/2002-07/0254.html参考:BUGTRAQ: 20020724 Re: Nanog traceroute格式字符串利用。参考网址:http://marc.theaimsgroup.com/?l=bugtraq&m=102753136231920&w=2参考:SUSE: SuSE-SA: 2000:041参考:网址:http://www.suse.de/de/security/2000_041_traceroute_txt.html参考:报价:4956参考:网址:http://www.securityfocus.com/bid/4956参考:XF: tracesroute-t-format-string(9291)参考:网址:http://www.iss.net/security_center/static/9291.php格式字符串漏洞TrACESroute 6.0黄金(又名NANOG traceroute)允许本地用户执行任意代码通过- t(终结者)命令行参数。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1051 1供应商确认:是的跟踪投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0803网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0803最终决定:阶段性裁决:修改:建议:20020830分配:20020729类别:科幻参考:BUGTRAQ: 20020608 (BUGZILLA)安全顾问为2.14版本的BUGZILLA 2.14.2之前,2.16之前2.16 rc2参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-06/0054.html参考:确认:http://bugzilla.mozilla.org/show_bug.cgi?id=126801参考:REDHAT: RHSA-2002:109参考:报价:4964参考:网址:http://online.securityfocus.com/bid/49642.14.2之前Bugzilla 2.14, 2.16之前2.16 rc2,允许远程攻击者通过直接显示受限制的产品和组件queryhelp.cgi HTTP请求。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0803 3供应商确认:对咨询内容的决定:模糊的投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0807网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0807最终决定:阶段性裁决:修改:建议:20020830分配:20020729类别:科幻参考:BUGTRAQ: 20020608 (BUGZILLA)安全顾问为2.14版本的BUGZILLA 2.14.2之前,和2.16之前2.16 rc2参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-06/0054.html参考:确认:http://bugzilla.mozilla.org/show_bug.cgi?id=146447参考:REDHAT: RHSA-2002:109参考:报价:4964参考:网址:http://online.securityfocus.com/bid/49642.14.2前跨站点脚本漏洞在Bugzilla 2.14, 2.16之前2.16 rc2,可能允许远程攻击者执行脚本和其他Bugzilla用户通过姓名(真实姓名),这不是正确editusers.cgi援引。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0807 3供应商确认:对咨询内容的决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0811网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0811最终决定:阶段性裁决:修改:建议:20020830分配:20020729类别:科幻参考:BUGTRAQ: 20020608 (BUGZILLA)安全顾问为2.14版本的BUGZILLA 2.14.2之前,和2.16之前2.16 rc2参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-06/0054.html参考:确认:http://bugzilla.mozilla.org/show_bug.cgi?id=130821参考:REDHAT: RHSA-2002:109参考:报价:4964参考:网址:http://online.securityfocus.com/bid/49642.14.2之前Bugzilla 2.14, 2.16之前2.16 rc2,允许远程攻击者可能导致拒绝服务或执行某些查询通过SQL注入攻击buglist.cgi排序参数。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0811 3供应商确认:对咨询内容的决定:包容包容:开发人员不确定是否这个bug确实是可利用的。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0878网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0878最终决定:阶段性裁决:修改:建议:20020830分配:20020816类别:科幻参考:BUGTRAQ: 20020604 sql注入Logisense软件参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-06/0010.html参考:报价:4931参考:网址:http://www.securityfocus.com/bid/4931参考:XF: logisense-sql-injection(9268)参考:网址:http://www.iss.net/security_center/static/9268.phpSQL注入漏洞在登录表单LogiSense软件包括(1)Hawk-i计费,(2)Hawk-i ASP和(3)DNS管理器允许远程攻击者绕过身份验证密码字段通过SQL代码。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0878 3供应商确认:内容决定:SF-EXEC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0907网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0907最终决定:阶段性裁决:修改:建议:20020830分配:20020816类别:科幻参考:BUGTRAQ: 20020604 SHOUTcast 1.8.9 bufferoverflow参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-06/0016.html参考:报价:4934参考:网址:http://www.securityfocus.com/bid/4934参考:XF: shoutcast-icy-remote-bo(9251)参考:网址:http://www.iss.net/security_center/static/9251.php缓冲区溢出的SHOUTcast 1.8.9和其他版本之前1.8.12允许远程身份验证的DJ在服务器上执行任意代码通过一个长值在一个头的名字从“冰冷——”开始。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0907 3供应商确认:未知discloser-claimed投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0913网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0913最终决定:阶段性裁决:修改:建议:20020830分配:20020816类别:科幻参考:VULN-DEV: 20020604 SRT安全顾问(srt2002 - 06 - 04 - 1011):把参考:网址:http://marc.theaimsgroup.com/?l=vuln-dev&m=102323341407280&w=2参考:BUGTRAQ: 20020604 SRT安全顾问(srt2002 - 06 - 04 - 1011):把参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-06/0014.html参考:XF: slurp-syslog-format-string(9270)参考:网址:http://www.iss.net/security_center/static/9270.php参考:报价:4935参考:网址:http://www.securityfocus.com/bid/4935格式字符串漏洞在客户机1.1.0 log_doit把NNTP的函数允许恶意消息服务器来执行任意代码在客户端通过服务器响应格式字符串。万博下载包分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0913 3供应商确认:投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0921网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0921最终决定:阶段性裁决:修改:建议:20020830分配:20020816类别:科幻参考:BUGTRAQ: 20020611 CGIscript.net——csNews。万博下载包cgi -多个漏洞参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-06/0091.html参考:XF: cgiscript-csnews-in万博下载包formation-disclosure(9331)参考:网址:http://www.iss.net/security_center/static/9331.phpCGIScript.net cs万博下载包News。cgi允许远程攻击者获得潜在的敏感信息,如完整的服务器路径名和其他配置设置,通过viewnews命令一个无效的数据库,泄漏信息的错误消息。万博下载包分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0921 3供应商确认:未知discloser-claimed内容决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0922网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0922最终决定:阶段性裁决:修改:建议:20020830分配:20020816类别:科幻参考:BUGTRAQ: 20020611 CGIscript.net——csNews。万博下载包cgi -多个漏洞参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-06/0091.html参考:XF: cgiscript-csnews-ad万博下载包min-access(9333)参考:网址:http://www.iss.net/security_center/static/9333.php参考:XF: cgiscript-csnews-fi万博下载包le-disclosure(9332)参考:网址:http://www.iss.net/security_center/static/9332.php参考:报价:4991参考:网址:http://www.securityfocus.com/bid/4991参考:报价:4993参考:网址:http://www.securityfocus.com/bid/4993CGIScript.net cs万博下载包News。cgi允许远程攻击者获取数据库文件通过直接请求url编码(1)违约% 2教育局或(2)违约% 2教育局。风格,或远程通过身份验证的用户通过(3)执行管理操作数据库参数设置为默认% 2教育局。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0922 3供应商确认:未知discloser-claimed内容决定:SF-LOC抽象:CD: SF-LOC表明,相同类型的所有问题被合并。虽然有单独的“组件”,在某种意义上,有不同的身份验证需求,潜在的问题基本上是一样的:由于编码一个规范化的问题。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0923网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0923最终决定:阶段性裁决:修改:建议:20020830分配:20020816类别:科幻参考:BUGTRAQ: 20020611 CGIscript.net——csNews。万博下载包cgi -多个漏洞参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-06/0091.html参考:报价:4994参考:网址:http://www.securityfocus.com/bid/4994参考:XF: cgiscript-csnews-ad万博下载包min-access(9333)参考:网址:http://www.iss.net/security_center/static/9333.phpCGIScript.net cs万博下载包News。cgi允许远程经过身份验证的用户读取任意文件,并可能获得特权,通过(1)pheader或(2)pfooter参数在“高级设置”功能。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0923 3供应商确认:未知discloser-claimed内容决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0924网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0924最终决定:阶段性裁决:修改:建议:20020830分配:20020816类别:科幻参考:BUGTRAQ: 20020611 CGIscript.net——csNews。万博下载包cgi -多个漏洞参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-06/0091.html参考:报价:4451参考:网址:http://online.securityfocus.com/bid/4451CGIScript.net cs万博下载包News。Perl cgi允许远程身份验证的用户执行任意代码通过终止报价和元字符在文本字段的“高级设置”功能。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0924 3供应商确认:未知discloser-claimed内容决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0931网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0931最终决定:阶段性裁决:修改:建议:20020830分配:20020816类别:科幻参考:BUGTRAQ: 20020610 [ARL02-A15] MyHelpdesk参考多种安全问题:网址:http://archives.neohapsis.com/archives/bugtraq/2002-06/0057.html参考:报价:4967参考:网址:http://www.securityfocus.com/bid/4967参考:报价:4970参考:网址:http://www.securityfocus.com/bid/4970参考:XF: myhelpdesk-new-ticket-xss(9319)参考:网址:http://www.iss.net/security_center/static/9319.php参考:XF: myhelpdesk-index-php-xss(9320)参考:网址:http://www.iss.net/security_center/static/9320.phpMyHelpDesk 20020509跨站点脚本漏洞,可能其他版本,允许远程攻击者执行脚本和其他用户通过一个标题(1)或(2)描述当一个新的机票是由一个支持助理,通过“id”参数索引。(3)tickettime php脚本,(4)ticketfiles, (5) updateticketlog操作,或者通过更新(6)部分票时编辑。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0931 3供应商确认:内容决定:SF-LOC, SF-EXEC抽象:CD: SF-LOC建议把相同类型的问题结合成相同的项目。有些人可能区分“脚本注入链接”和“脚本注入HTML页面,但这些也可以认为不同的攻击向量的问题“不引用或清理脚本提交给另一方时,“所以CVE需要这些问题的方法都是相同的。CD: SF-EXEC进一步表明,相同类型的问题,在同一版本,应该结合起来。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0932网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0932最终决定:阶段性裁决:修改:建议:20020830分配:20020816类别:科幻参考:BUGTRAQ: 20020610 [ARL02-A15] MyHelpdesk参考多种安全问题:网址:http://archives.neohapsis.com/archives/bugtraq/2002-06/0057.html参考:报价:4971参考:网址:http://www.securityfocus.com/bid/4971参考:XF: myhelpdesk-sql-injection(9321)参考:网址:http://www.iss.net/security_center/static/9321.phpSQL注入漏洞的指数。php MyHelpDesk 20020509,可能是其他版本,允许远程攻击者通过SQL代码进行未经授权的活动“id”参数的操作(1)detailticket, (2) editticket,或(3)updateticketlog。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0932 3供应商确认:内容决定:SF-LOC, SF-EXEC抽象:CD: SF-LOC建议把相同类型的问题结合成相同的项目。有些人可能区分“脚本注入链接”和“脚本注入HTML页面,但这些也可以认为不同的攻击向量的问题“不引用或清理脚本提交给另一方时,“所以CVE需要这些问题的方法都是相同的。CD: SF-EXEC进一步表明,相同类型的问题,在同一版本,应该结合起来。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0933网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0933最终决定:阶段性裁决:修改:建议:20020830分配:20020816类别:科幻参考:BUGTRAQ: 20020610 Datalex BookIt !消费密码漏洞参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-06/0063.html参考:报价:4972参考:网址:http://www.securityfocus.com/bid/4972参考:XF: bookit-plaintext-passwords(9316)参考:网址:http://www.iss.net/security_center/static/9316.phpDatalex PLC BookIt !消费者在2.2之前将用户名和密码存储在明文饼干,这可能允许远程攻击者获得特权通过跨站点脚本或嗅探攻击。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0933 3供应商确认:未知discloser-claimed投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0934网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0934最终决定:阶段性裁决:修改:建议:20020830分配:20020816类别:科幻参考:BUGTRAQ: 20020610 AlienForm2 CGI脚本:任意文件读/写参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-06/0068.html参考:报价:4983参考:网址:http://www.securityfocus.com/bid/4983参考:XF: alienform2-directory-traversal(9325)参考:网址:http://www.iss.net/security_center/static/9325.php目录遍历脆弱性乔恩·哈德利·AlienForm2(通常安装af.cgi或alienform.cgi)允许远程攻击者读取或修改任意文件通过一个非法字符中间的. .(点点)序列的参数(1)或(2)_out_file _browser_out。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0934 3供应商确认:投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0936网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0936最终决定:阶段性裁决:修改:建议:20020830分配:20020816类别:科幻参考:VULNWATCH: 20020611 [VULNWATCH]通用Crash-JSP参考:网址:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0095.html参考:XF: jsp-engine-wprinterjob-dos(9339)参考:网址:http://www.iss.net/security_center/static/9339.php参考:报价:4995参考:网址:http://www.securityfocus.com/bid/4995Java服务器页面(JSP)引擎在Tomcat中允许web页面所有者造成拒绝服务(web服务器引擎崩溃)通过一个JSP页面调用WPrinterJob () .pageSetup (null, null)。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0936 3供应商确认:内容决定:SF-CODEBASE准确性:原文不包含版本信息。抽象:它不是特别清楚代码库Tomcat和JRun之间可能存在的关系。有可能实现,这不是一个错误的,而在J2EE或JRE。相同的事实,模糊的代码演示了问题在这两个地方,表示某种类型的共性。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0937网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0937最终决定:阶段性裁决:修改:建议:20020830分配:20020816类别:科幻参考:VULNWATCH: 20020611 [VULNWATCH]通用Crash-JSP参考:网址:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0095.html参考:XF: jsp-engine-wprinterjob-dos(9339)参考:网址:http://www.iss.net/security_center/static/9339.php参考:报价:4997参考:网址:http://www.securityfocus.com/bid/4997Java服务器页面(JSP)引擎JRun允许网页所有者造成拒绝服务(web服务器引擎崩溃)通过一个JSP页面调用WPrinterJob () .pageSetup (null, null)。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0937 3供应商确认:内容决定:SF-CODEBASE准确性:原文不包含版本信息。抽象:它不是特别清楚代码库Tomcat和JRun之间可能存在的关系。有可能实现,这不是一个错误的,而在J2EE或JRE。相同的事实,模糊的代码演示了问题在这两个地方,表示某种类型的共性。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0949网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0949最终决定:阶段性裁决:修改:建议:20020830分配:20020816类别:科幻参考:BUGTRAQ: 20020605一些漏洞Telindus 11 xx路由器系列参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-06/0028.html参考:报价:4946参考:网址:http://www.securityfocus.com/bid/4946参考:XF: telindus-adsl-information-leak(9277)参考:网址:http://www.iss.net/security_center/static/9277.phpTelindus 1100系列ADSL路由器允许远程攻击者获得特权和设备通过一个特定的数据包UDP端口9833,而产生应答,包括路由器在明文的密码和其他敏感信息。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0949 3供应商确认:投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0956网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0956最终决定:阶段性裁决:修改:建议:20020830分配:20020816类别:科幻参考:VULNWATCH: 20020606 [VULNWATCH]毕马威- 2002019:我不代理防火墙后备用参考:网址:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0090.html毕马威参考:BUGTRAQ: 20020606 - 2002019:我不代理防火墙后备用参考:网址:http://online.securityfocus.com/archive/1/275710参考:报价:4950参考:网址:http://www.securityfocus.com/bid/4950参考:XF: blackice-standby-inactivate(9275)参考:网址:http://www.iss.net/security_center/static/9275.php3.1我代理。宝莲寺并不总是激活后一个备用系统,这可能允许远程攻击者和本地用户绕过防火墙的限制。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0956 3供应商确认:未知discloser-claimed投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0959网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0959最终决定:阶段性裁决:修改:建议:20020830分配:20020816类别:科幻参考:BUGTRAQ: 20020606 Splatt论坛XSS参考:网址:http://online.securityfocus.com/archive/1/275744参考:VULNWATCH: 20020606 [VULNWATCH] Splatt论坛XSS参考:网址:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0091.html参考:XF: splatt-forum-img-xss(9279)参考:网址:http://www.iss.net/security_center/static/9279.php参考:报价:4953参考:网址:http://www.securityfocus.com/bid/4953跨站点脚本漏洞在Splatt论坛3.0允许远程攻击者执行任意脚本,其他用户通过一个[img]关闭的标签,引用脚本紧随其后。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0959 3供应商确认:未知的外国确认:供应商ack无法确定,因为供应商的网站是在意大利。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0960网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0960最终决定:阶段性裁决:修改:建议:20020830分配:20020816类别:科幻参考:BUGTRAQ: 20020606 cbm: XSS和SQL注入漏洞参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-06/0043.html参考:报价:4957参考:网址:http://www.securityfocus.com/bid/4957参考:XF: cbms-php-xss(9294)参考:网址:http://www.iss.net/security_center/static/9294.php多个跨站点脚本漏洞在体素点净cbm 0.7和更早的允许远程攻击者执行任意其他cbm用户脚本。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0960 3供应商确认:未知的模糊的内容决定:SF-LOC确认:供应商确认太模糊了。供应商的网页说“请下载最新版本的煤层气(是0.7.1)由于众多安全补丁!”和一条更新日志包括可追溯到5/24/2002说“固定安全问题处理查询是如何构建的,“但这是太模糊,知道供应商是修复XSS问题,SQL问题,两者,或没有。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0961网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0961最终决定:阶段性裁决:修改:建议:20020830分配:20020816类别:科幻参考:BUGTRAQ: 20020606 cbm: XSS和SQL注入漏洞参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-06/0043.html参考:报价:4957参考:网址:http://www.securityfocus.com/bid/4957参考:XF: cbms-php-sql-injection(9295)参考:网址:http://www.iss.net/security_center/static/9295.php0.7和更早的漏洞在体素点净cbm允许远程攻击者与其他用户进行未经授权的行动,如通过dltclnt删除客户。php,可能在一个SQL注入攻击。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0961 3供应商确认:未知的模糊的内容决定:SF-LOC确认:供应商的确认太模糊了。供应商的网页说“请下载最新版本的煤层气(是0.7.1)由于众多安全补丁!”和一条更新日志包括可追溯到5/24/2002说“固定安全问题处理查询是如何构建的,“但这是太模糊,知道供应商是修复XSS问题,SQL问题,两者,或没有。准确性:通知说,这是一个SQL注入的问题,但似乎没有任何“畸形”SQL提供利用;它似乎表明一个格式良好的ID,这可能意味着这是一个“认证绕过”类型的脆弱性。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0962网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0962最终决定:阶段性裁决:修改:建议:20020830分配:20020816类别:科幻参考:BUGTRAQ: 20020610 [ARL02-A13] GeekLog参考多种安全问题:网址:http://archives.neohapsis.com/archives/bugtraq/2002-06/0058.html参考:确认:http://geeklog.sourceforge.net/article.php?story=20020610013358149参考:XF: geeklog-index-comment-xss(9310)参考:网址:http://www.iss.net/security_center/static/9310.php参考:XF: geeklog-calendar-event-xss(9309)参考:网址:http://www.iss.net/security_center/static/9309.php参考:报价:4969参考:网址:http://www.securityfocus.com/bid/4969参考:报价:4974参考:网址:http://www.securityfocus.com/bid/4974跨站点脚本漏洞在GeekLog 1.3.5早些时候,允许远程攻击者通过(1)执行任意脚本url变量关联领域的日历事件,(2)主题参数索引。php,或(3)标题comment.php参数。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0962 3供应商确认:对咨询内容的决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0963网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0963最终决定:阶段性裁决:修改:建议:20020830分配:20020816类别:科幻参考:BUGTRAQ: 20020610 [ARL02-A13] GeekLog参考多种安全问题:网址:http://archives.neohapsis.com/archives/bugtraq/2002-06/0058.html参考:确认:http://geeklog.sourceforge.net/article.php?story=20020610013358149参考:报价:4968参考:网址:http://www.securityfocus.com/bid/4968参考:XF: geeklog-sql-injection(9311)参考:网址:http://www.iss.net/security_center/static/9311.phpSQL注入漏洞的评论。php为GeekLog 1.3.5早些时候,允许远程攻击者获取用户敏感信息通过pid参数。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0963 3供应商确认:对咨询内容的决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论: