(提案)集群确认- 2002 - 51候选人

我提出集群确认- 2002 a为审查和编辑委员会的投票。名称:确认- 2002描述:罐装明确供应商ack。从2002年3月至2002年9月大小:51通过修改这封邮件你可能投票的候选人投票,将它寄回给我,或通过使用CVE投票网站。中列出的候选人优先秩序。优先级1和优先级2的候选人都应对不同层次的供应商确认,所以他们应该易于检查和可以信任的,是真实的问题。总结的选票使用(“严重程度”的按升序)- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -接受——选民接受候选人提出的等待——选民对候选人没有意见修改选民想要改变一些小细节(例如参考/描述)审查-选民正在审查/研究候选人,或需要更多的信息,重塑候选人必须大幅修改,如分割或合并拒绝候选人不是“漏洞”,或重复等。1)请写你的投票在直线上,从“投票:”开始。如果你想添加评论或细节,在投票后将它们添加到线:线。2)如果你看到任何失踪的引用,请提及他们,使他们可以包括在内。在映射引用帮助极大。3)请注意,“修改”被视为一个“接受”当计算选票。 So if you don't have sufficient information for a candidate but you don't want to NOOP, use a REVIEWING. ********** NOTE ********** NOTE ********** NOTE ********** NOTE ********** Please keep in mind that your vote and comments will be recorded and publicly viewable in the mailing list archives or in other formats. ====================================================== Candidate: CAN-2002-0376 URL:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0376最终决定:阶段性裁决:修改:建议:20030317分配:20020513类别:科幻参考:ATSTAKE: A091002-1参考:网址:http://www.atstake.com/research/advisories/2002/a091002 - 1. - txt参考:BUGTRAQ: 20020925 Fwd: QuickTime Windows ActiveX安全咨询参考:网址:http://online.securityfocus.com/archive/1/293095参考:XF: quicktime-activex-pluginspage-bo(10077)参考:网址:http://www.iss.net/security_center/static/10077.php参考:报价:5685参考:网址:http://www.securityfocus.com/bid/5685缓冲区溢出在苹果QuickTime 5.0 ActiveX组件允许远程攻击者通过长pluginspage字段执行任意代码。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0376 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0627网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0627最终决定:阶段性裁决:修改:建议:20030317分配:20020617类别:科幻参考:国际空间站:20020904多个远程漏洞在宝利通视频会议产品参考:网址:http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21089参考:确认:pdf 00. http://www.polycom.com/common/pw_item_show_doc/0, 1444参考:CIAC: m - 123参考:网址:http://www.ciac.org/ciac/bulletins/m - 123. shtml参考:XF: viewstation-unicode-retrieve-password(9348)参考:网址:http://www.iss.net/security_center/static/9348.php参考:报价:5632参考:网址:http://www.securityfocus.com/bid/5632Web服务器之前该ViewStation 7.2.4允许远程攻击者绕过身份验证和读取文件通过Unicode编码的请求。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0627 1供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0630网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0630最终决定:阶段性裁决:修改:建议:20030317分配:20020617类别:科幻参考:国际空间站:20020904多个远程漏洞在宝利通视频会议产品参考:网址:http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21089参考:确认:pdf 00. http://www.polycom.com/common/pw_item_show_doc/0, 1444参考:CIAC: m - 123参考:网址:http://www.ciac.org/ciac/bulletins/m - 123. shtml参考:XF: viewstation-icmp-dos(9350)参考:网址:http://www.iss.net/security_center/static/9350.php参考:报价:5637参考:网址:http://www.securityfocus.com/bid/5637之前,Telnet服务该ViewStation 7.2.4允许远程攻击者造成拒绝服务(崩溃)通过长或畸形的ICMP数据包。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0630 1供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0850网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0850最终决定:阶段性裁决:修改:建议:20030317分配:20020809类别:科幻参考:BUGTRAQ: 20020906 Foundstone实验室咨询-远程利用缓冲区溢位在PGP参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=103133995920090&w=2参考:VULNWATCH: 20020905 [VULNWATCH] Foundstone实验室咨询——远程利用缓冲区溢出在PGP参考:网址:http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0106.html参考:确认:http://download.nai.com/products/licensed/pgp/desktop_security/windows/version_7.1.1/pgphotfix_outlookplugin711/ReadMe.txt缓冲区溢出PGP公司桌面安装7.1.1允许远程攻击者执行任意代码通过一个加密的文档,有很长的文件名时解密。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0850 1供应商确认:是的咨询确认:PGP公司桌面7.1发行说明。x状态:“虽然PGP支持长文件名,在遇到问题时试图进行加密或解密文件超过200字符的名字……有关这个问题的更多信息,请参见Foundstone实验室咨询- 080202 pcro。”While the advisory ID is different than the one in Foundstone's Bugtraq post, Foundstone did confirm via email that both ID's reference the same issue. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-1109 URL:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1109最终决定:阶段性裁决:修改:建议:20030317分配:20020906类别:科幻参考:确认:http://marc.theaimsgroup.com/?l=amavis-announce&m=103121272122242&w=2参考:BUGTRAQ: 20020905 GLSA: amavis参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=103124270321404&w=2参考:XF: amavis-securetar-tar-dos(10056)参考:网址:http://www.iss.net/security_center/static/10056.phpsecuretar,用于AMaViS shell脚本0.2.1早些时候,允许用户造成拒绝服务(CPU消耗)通过一个TAR文件畸形,可能通过一个不正确的文件大小的参数。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1109 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1117网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1117最终决定:阶段性裁决:修改:建议:20030317分配:20020906类别:科幻参考:BUGTRAQ: 20020906 Veritas Backup Exec打开网络基于NetBIOS攻击?参考网址:http://marc.theaimsgroup.com/?l=bugtraq&m=103134395124579&w=2参考:BUGTRAQ: 20020906更新:(是Veritas Backup Exec打开网络基于NetBIOS攻击?)参考网址:http://marc.theaimsgroup.com/?l=bugtraq&m=103134930629683&w=2参考:确认:http://seer.support.veritas.com/docs/238618.htmVeritas Backup Exec 8.5和更早的要求“RestrictAnonymous”注册表键为微软Exchange 2000必须设置为0,这使得匿名SAM数据库的清单和股票。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1117 1供应商确认:是的投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1122网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1122分配最终决定:阶段性裁决:修改:建议:20030317:20020911类别:科幻参考:VULNWATCH: 20020918 Foundstone研究实验室咨询——远程利用缓冲区溢出在空间站扫描仪参考:国际空间站:20020918缺陷在互联网扫描仪解析机制参考:网址:http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21165参考:XF: is-http-response-bo(10130)参考:网址:http://www.iss.net/security_center/static/10130.php参考:报价:5738参考:网址:http://www.securityfocus.com/bid/5738缓冲区溢出的ISS网络扫描仪6.2.1解析机制,当使用许可横幅HTTP检查,允许远程攻击者执行任意代码通过一个web服务器响应。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1122 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1135网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1135最终决定:阶段性裁决:修改:建议:20030317分配:20020923类别:科幻参考:BUGTRAQ: 20020922 PHP源注入phpWebSite参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=103279980906880&w=2参考:确认:http://phpwebsite.appstate.edu/article.php?sid=400参考:XF: phpwebsite-modsecurity-file-include(10164)参考:网址:http://www.iss.net/security_center/static/10164.php参考:报价:5779参考:网址:http://www.securityfocus.com/bid/5779modsecurity。php 1.10和更早,在phpWebSite 0.8.2早些时候,允许远程攻击者执行任意php源代码通过inc_prefix参数指向恶意代码。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1135 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1153网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1153最终决定:阶段性裁决:修改:建议:20030317分配:20020924类别:科幻参考:BUGTRAQ:毕马威20020919 - 2002035:IBM Websphere大标题DoS参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=103244572803950&w=2参考:确认:ftp://ftp.software.ibm.com/software/websphere/appserv/support/fixes/pq62144/readme.txt参考:XF: websphere-host-header-bo(10140)参考:网址:http://www.iss.net/security_center/static/10140.php参考:报价:5749参考:网址:http://www.securityfocus.com/bid/5749IBM Websphere 4.0.3允许远程攻击者可能导致拒绝服务(崩溃)和执行任意代码通过一个HTTP请求和HTTP头信息,如“主机”。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1153 1供应商确认:是的投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1154网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1154最终决定:阶段性裁决:修改:建议:20030317分配:20020925类别:科幻参考:确认:http://www.analog.cx/security5.html参考:XF: analog-anlgform-dos(10344)参考:网址:http://www.iss.net/security_center/static/10344.phpanlgform。pl在模拟5.23不限制PROGRESSFREQ进展更新命令,远程攻击者可以引起拒绝服务(磁盘消费)通过使用命令报告更新更频繁、填充web服务器错误日志。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1154 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1414网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1414最终决定:阶段性裁决:修改:建议:20030317分配:20030205类别:科幻参考:VULN-DEV: 20020806 qmailadmin SUID缓冲区溢位参考:网址:http://marc.theaimsgroup.com/?l=vuln-dev&m=102859603029424&w=2参考:BUGTRAQ: 20020724 Re: qmailadmin SUID缓冲区溢位参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-08/0016.html参考:确认:http://www.inter7.com/qmailadmin/ChangeLog参考:报价:5404参考:网址:http://www.securityfocus.com/bid/5404参考:XF: qmailadmin-templatedir-bo(9786)参考:网址:http://www.iss.net/security_center/static/9786.php缓冲区溢出qmailadmin允许本地用户获得特权通过长QMAILADMIN_TEMPLATEDIR环境变量。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1414 1供应商确认:是的咨询确认:更新日志包含一个条目日期为8月6日,2002年,国家“固定本地溢出在模板代码。”投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1417网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1417最终决定:阶段性裁决:修改:建议:20030317分配:20030205类别:科幻参考:BUGTRAQ: 20020820这- 2002 - 2963297 - NetBasic缓冲区溢位+脚本漏洞参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-08/0199.html参考:确认:http://support.novell.com/servlet/tidfinder/2963297参考:报价:5523参考:网址:http://www.securityfocus.com/bid/5523参考:XF: novell-netbasic-directory-traversal(9910)参考:网址:http://www.iss.net/security_center/static/9910.php目录遍历脆弱性Novell NetBasic脚本服务器(NSN)网络5.1和6日和Novell小企业套件5.1和6,允许远程攻击者读取任意文件通过一个URL包含一个“. .% 5 c”序列(圆点)修改,这是映射到目录分隔符。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1417 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1418网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1418最终决定:阶段性裁决:修改:建议:20030317分配:20030205类别:科幻参考:BUGTRAQ: 20020820这- 2002 - 2963297 - NetBasic缓冲区溢位+脚本漏洞参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-08/0199.html参考:确认:http://support.novell.com/servlet/tidfinder/2963297参考:XF: novell-netbasic-interpreter-bo(9911)参考:网址:http://www.iss.net/security_center/static/9911.php参考:报价:5524参考:网址:http://www.securityfocus.com/bid/5524缓冲区溢出的解释器Novell NetBasic脚本服务器(NSN)网络5.1和6日和Novell小企业套件5.1和6,允许远程攻击者造成拒绝服务(异常终止)通过一个漫长的模块名称。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1418 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1430网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1430最终决定:阶段性裁决:修改:建议:20030317分配:20030205类别:科幻参考:BUGTRAQ: 20020730(咨询):任意文件披露漏洞Sympoll 1.2参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-07/0401.html参考:确认:http://www.ralusp.net/downloads/sympoll/changelog.txt参考:报价:5360参考:网址:http://www.securityfocus.com/bid/5360参考:XF: sympoll-php-view-files(9723)参考:网址:http://www.iss.net/security_center/static/9723.php未知的漏洞在Sympoll 1.2允许远程攻击者读取任意文件启用register_globals时,可能通过修改某些PHP变量通过URL参数。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1430 1供应商确认:是的、确认:供应商的变更为1.3版包含一个条目标记为“重要的安全修复”,相信一个人也认为Bugtraq邮报》的作者。Bugtraq发布的日期和供应商的变更也相同的(7月30日)。准确性:尽管Bugtraq海报和供应商说PHP变量是直接通过URL参数修改,这是行为register_globals另有预防的功能,在许多PHP脚本和典型的漏洞。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1435网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1435最终决定:阶段性裁决:修改:建议:20030317分配:20030205类别:科幻参考:BUGTRAQ: 20020822任意代码执行问题在Achievo参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-08/0235.html参考:确认:http://www.achievo.org/lists/2002/Aug/msg00092.html参考:XF: achievo-php-execute-code(9947)参考:网址:http://www.iss.net/security_center/static/9947.php参考:报价:5552参考:网址:http://www.securityfocus.com/bid/5552class.atkdateattribute.js。php在Achievo 0.7.0通过0.9.1,除了0.8.2,允许远程攻击者执行任意的php代码启用“allow_url_fopen”设置时通过一个URL config_atkroot参数指向代码。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1435 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1436网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1436最终决定:阶段性裁决:修改:建议:20030317分配:20030205类别:科幻参考:BUGTRAQ: 20020820这- 2002 - 2963307 - PERL处理程序漏洞参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-08/0202.html参考:确认:http://support.novell.com/servlet/tidfinder/2963307参考:XF: netware-perl-code-execution(9916)参考:网址:http://www.iss.net/security_center/static/9916.php参考:报价:5520参考:网址:http://www.securityfocus.com/bid/5520web 5.003处理程序Perl 5.1网络操作系统,网络6允许远程攻击者执行任意Perl代码通过一个HTTP POST请求。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1436 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1437网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1437最终决定:阶段性裁决:修改:建议:20030317分配:20030205类别:科幻参考:BUGTRAQ: 20020820这- 2002 - 2963307 - PERL处理程序漏洞参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-08/0202.html参考:确认:http://support.novell.com/servlet/tidfinder/2963307参考:报价:5522参考:网址:http://www.securityfocus.com/bid/5522参考:XF: netware-perl-directory-traversal(9915)参考:网址:http://www.iss.net/security_center/static/9915.php目录遍历脆弱性在web 5.003处理程序Perl 5.1网络操作系统,网络6允许远程攻击者读取任意文件通过一个HTTP请求包含" . .圆点反斜杠)% 5 c”(url编码序列。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1437 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1438网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1438最终决定:阶段性裁决:修改:建议:20030317分配:20030205类别:科幻参考:BUGTRAQ: 20020820这- 2002 - 2963307 - PERL处理程序漏洞参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-08/0202.html参考:确认:http://support.novell.com/servlet/tidfinder/2963307参考:XF: netware-perl-information-disclosure(9917)参考:网址:http://www.iss.net/security_center/static/9917.php参考:报价:5521参考:网址:http://www.securityfocus.com/bid/5521web 5.003处理程序Perl 5.1网络操作系统,网络6允许远程攻击者通过- v选项获得Perl版本信息。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1438 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1443网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1443最终决定:阶段性裁决:修改:建议:20030317分配:20030205类别:科幻参考:BUGTRAQ: 20020808利用Google工具栏(GM # 001 - mc)参考:网址:http://online.securityfocus.com/archive/1/286527参考:NTBUGTRAQ: 20020808利用Google工具栏(GM # 001 - mc)参考:网址:http://archives.neohapsis.com/archives/ntbugtraq/2002-q3/0066.html参考:MISC:http://sec.greymagic.com/adv/gm001-mc/参考:确认:http://toolbar.google.com/whatsnew.php3参考:报价:5426参考:网址:http://www.securityfocus.com/bid/5426谷歌工具栏1.1.58早些时候,允许远程网站监控用户的输入工具栏通过一个“onkeydown”事件处理程序。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1443 1供应商确认:未知discloser-claimed投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1446网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1446最终决定:阶段性裁决:修改:建议:20030317分配:20030205类别:科幻参考:BUGTRAQ: 20020819 nCipher公司咨询# 5:C_Verify验证错误的对称特征参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-08/0172.html参考:确认:http://www.ncipher.com/support/advisories/advisory5_c_verify.html参考:报价:5498参考:网址:http://www.securityfocus.com/bid/5498参考:XF: ncipher-cverify-improper-verification(9895)参考:网址:http://www.iss.net/security_center/static/9895.php错误检查例程用于C_Verify呼吁对称验证的关键nCipher公司PKCS # 11图书馆1.2.0后来返回CKR_OK地位甚至当它检测到一个无效的签名,这可能允许远程攻击者修改或伪造信息。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1446 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1448网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1448最终决定:阶段性裁决:修改:建议:20030317分配:20030205类别:CF参考:BUGTRAQ: 20020805 SNMP脆弱性亚美亚法人后裔固件参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-07/0519.html参考:确认:http://support.avaya.com/security/Unauthorized_SNMP/index.jhtml参考:XF: avaya-cajun-default-snmp(9769)参考:网址:http://www.iss.net/security_center/static/9769.php参考:报价:5396参考:网址:http://www.securityfocus.com/bid/5396一个无证SNMP读/写社区字符串(“NoGaH $ @ !”)在亚美亚P330, P130, M770-ATM法人后裔产品允许远程攻击者获得管理权限。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1448 1供应商确认:是的咨询确认:供应商的安全顾问学分Jacek Lipkowski Bugtraq邮报》的作者。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1463网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1463最终决定:阶段性裁决:修改:建议:20030317分配:20030205类别:科幻参考:BUGTRAQ: 20020802安全顾问:猛禽防火墙弱还脆弱参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-07/0492.html参考:确认:http://www.symantec.com/techsupp/bulletin/archive/firewall/082002firewall.html赛门铁克猛禽防火墙6.5和6.5.3,企业防火墙6.5.2和7.0,迅猛龙模型500/700/1000和1100/1200/1300,和网关安全5110/5200/5300生成容易预测初始序列号(是),它允许远程攻击者恶搞连接。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1463 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1467网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1467最终决定:阶段性裁决:修改:建议:20030317分配:20030205类别:科幻参考:BUGTRAQ: 20020808 Macromedia Flash插件可以读取本地文件参考:网址:http://online.securityfocus.com/archive/1/286625参考:确认:http://www.macromedia.com/v1/handlers/index.cfm?ID=23294参考:报价:5429参考:网址:http://www.securityfocus.com/bid/5429参考:XF: flash-same-domain-disclosure(9797)参考:网址:http://www.iss.net/security_center/static/9797.phpMacromedia Flash插件之前6 0,47岁,0允许远程攻击者绕过同一域限制和读取任意文件通过HTTP重定向(1),(2)一个“文件:/ /”基地在web文档,或(3)一个相对URL从web归档(mht文件)。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1467 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1469网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1469最终决定:阶段性裁决:修改:建议:20030317分配:20030205类别:科幻参考:BUGTRAQ: 20020820漏洞在scponly参考:网址:http://online.securityfocus.com/archive/1/288245参考:确认:http://www.sublimation.org/scponly/参考:报价:5526参考:网址:http://www.securityfocus.com/bid/5526参考:XF: scponly-ssh-env-upload(9913)参考:网址:http://www.iss.net/security_center/static/9913.phpscponly不正确验证路径时,发现(1)scp或(2)sftp服务器程序,这可能允许远程经过身份验证的用户绕过访问控制通过上传恶意程序和修改在$ HOME / path变量。ssh /环境来定位这些项目。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1469 1供应商确认:是的、确认:在发布说明scponly是一项名为“2002年8月补遗”和国家“德里克·d·马丁(大参考)给我发了一个可利用的漏洞条件,可用于运行任意命令,从而绕过scponly !”投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1496网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1496最终决定:阶段性裁决:修改:建议:20030317分配:20030205类别:科幻参考:BUGTRAQ: 20020922远程利用堆溢出在零HTTPd 0.5.0参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-09/0284.html参考:确认:http://freshmeat.net/releases/97910/参考:报价:5774参考:网址:http://www.securityfocus.com/bid/5774参考:XF: null-httpd-contentlength-bo(10160)参考:网址:http://www.iss.net/security_center/static/10160.php早些时候在空HTTP服务器0.5.0和基于堆的缓冲区溢出允许远程攻击者执行任意代码通过一个负值的内容长度HTTP头。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1496 1供应商确认:是的changelog投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1497网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1497最终决定:阶段性裁决:修改:建议:20030317分配:20030205类别:科幻参考:确认:http://freshmeat.net/releases/97910/跨站点脚本(XSS)早些时候在HTTP服务器0.5.0和零漏洞允许远程攻击者任意HTML插入一个“404 Not Found”反应。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1497 1供应商确认:是的、确认:0.5.1的更新日志包含一个声明,新版本在404年“修复XSS过滤反应。”投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1502网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1502最终决定:阶段性裁决:修改:建议:20030317分配:20030205类别:科幻参考:BUGTRAQ: 20020912 xbreaky符号链接漏洞参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-09/0131.html参考:确认:http://xbreaky.sourceforge.net/参考:报价:5700参考:网址:http://www.securityfocus.com/bid/5700参考:XF: xbreaky-breakyhighscores-symlink(10078)参考:网址:http://www.iss.net/security_center/static/10078.php符号链接漏洞在xbreaky 0.5.5允许本地用户覆盖任意文件通过一个符号链接从用户的.breakyhighscores文件到目标文件。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1502 1供应商确认:是的、确认:在首页xbreaky,变更日期为9月12日,2002年,说“马可·范Berkum(大参考)发现了一个bug xbreaky”问题的,包括一个简短的描述。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1407网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1407最终决定:阶段性裁决:修改:建议:20030317分配:20030205类别:科幻参考:BUGTRAQ: 20020810 TinySSL供应商声明:基本约束脆弱性参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-08/0096.html参考:BUGTRAQ: 20020805 IE SSL脆弱性参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=102866120821995&w=2参考:报价:5410参考:网址:http://www.securityfocus.com/bid/5410TinySSL 1.02和更早的不验证的基本约束一个中间由ca签名的证书时,远程攻击者可以恶搞可信站点的证书通过中间人攻击。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1407 2供应商确认:是的投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1420网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1420最终决定:阶段性裁决:修改:建议:20030317分配:20030205类别:科幻参考:BUGTRAQ: 20020812 OpenBSD安全顾问:选择边界条件(fwd)参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=102918817012863&w=2参考:报价:5442参考:网址:http://www.securityfocus.com/bid/5442参考:XF: openbsd-select-bo(9809)参考:网址:http://www.iss.net/security_center/static/9809.php整数signedness错误select()早些时候在OpenBSD 3.1和允许本地用户覆盖任意内核内存通过一个负值的大小参数,满足边界检查作为有符号整数,但后来用作数据复制操作期间无符号整数。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1420 2供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1493网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1493最终决定:阶段性裁决:修改:建议:20030317分配:20030205类别:科幻参考:BUGTRAQ: 20020914莱科思HTMLGear留言板脚本注入漏洞参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-09/0198.html参考:VULNWATCH: 20020926 [VULNWATCH] BugTraq ID: 5728参考:网址:http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0132.html参考:报价:5728参考:网址:http://www.securityfocus.com/bid/5728跨站点脚本(XSS)脆弱性莱科思HTMLGear留言板允许远程攻击者注入任意脚本通过(1)样式属性或(2)在一个IMG SRC属性标签。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1493 2供应商确认:是的跟踪投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1519网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1519最终决定:阶段性裁决:修改:建议:20030317分配:20030223类别:科幻参考:BUGTRAQ: 20020927软件更新可用于遗留RapidStream电器和沃奇卫士燃烧室Vclass电器参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-09/0335.html参考:BUGTRAQ: 20020926沃奇卫士防火墙设备安全问题参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-09/0325.html参考:报价:5814参考:网址:http://www.securityfocus.com/bid/5814参考:XF: firebox-vclass-cli-format-string(10217)参考:网址:http://www.iss.net/security_center/static/10217.php格式字符串漏洞在CLI接口沃奇卫士燃烧室Vclass 3.2和早些时候,RSSA电器3.0.2,允许远程攻击者造成拒绝服务和可能的执行任意代码通过密码的格式说明符的字符串参数。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1519 2供应商确认:是的跟踪投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1520网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1520最终决定:阶段性裁决:修改:建议:20030317分配:20030223类别:科幻参考:BUGTRAQ: 20020927软件更新可用于遗留RapidStream电器和沃奇卫士燃烧室Vclass电器参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-09/0335.html参考:BUGTRAQ: 20020926沃奇卫士防火墙设备安全问题参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-09/0325.html参考:报价:5815参考:网址:http://www.securityfocus.com/bid/5815参考:XF: firebox-vclass-cli-admin-privileges(10218)参考:网址:http://www.iss.net/security_center/static/10218.phpCLI界面沃奇卫士燃烧室Vclass 3.2和早些时候,和RSSA电器3.0.2不正确关闭SSH连接- n选项时提供身份验证期间,它允许远程攻击者访问CLI管理员特权。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1520 2供应商确认:是的跟踪投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0626网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0626最终决定:阶段性裁决:修改:建议:20030317分配:20020617类别:CF参考:国际空间站:20020904多个远程漏洞在宝利通视频会议产品参考:网址:http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21089参考:确认:pdf 00. http://www.polycom.com/common/pw_item_show_doc/0, 1444参考:CIAC: m - 123参考:网址:http://www.ciac.org/ciac/bulletins/m - 123. shtml参考:XF: viewstation-default-blank-password(9347)参考:网址:http://www.iss.net/security_center/static/9347.php参考:报价:5631参考:网址:http://www.securityfocus.com/bid/5631宝利通ViewStation 7.2.4之前有一个默认的管理员帐户的密码为空,它允许任意用户进行未经授权的活动。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0626 3供应商确认:未知的内容决定:CF-PASS投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0628网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0628最终决定:阶段性裁决:修改:建议:20030317分配:20020617类别:科幻参考:国际空间站:20020904多个远程漏洞在宝利通视频会议产品参考:网址:http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21089参考:确认:pdf 00. http://www.polycom.com/common/pw_item_show_doc/0, 1444参考:CIAC: m - 123参考:网址:http://www.ciac.org/ciac/bulletins/m - 123. shtml参考:XF: viewstation-telnet-login-dos(9349)参考:网址:http://www.iss.net/security_center/static/9349.php参考:报价:5635参考:网址:http://www.securityfocus.com/bid/5635之前,Telnet服务该ViewStation 7.2.4不限制失败的登录尝试的数量,这使得它更容易为远程攻击者猜测用户名和密码通过蛮力攻击。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0628 3供应商确认:未知的内容决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0629网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0629最终决定:阶段性裁决:修改:建议:20030317分配:20020617类别:科幻参考:国际空间站:20020904多个远程漏洞在宝利通视频会议产品参考:网址:http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21089参考:确认:pdf 00. http://www.polycom.com/common/pw_item_show_doc/0, 1444参考:CIAC: m - 123参考:网址:http://www.ciac.org/ciac/bulletins/m - 123. shtml参考:XF: viewstation-telnet-login-dos(9349)参考:网址:http://www.iss.net/security_center/static/9349.php参考:报价:5636参考:网址:http://www.securityfocus.com/bid/56367.2.4前为该ViewStation Telnet服务允许远程攻击者造成拒绝服务(崩溃)通过多个连接到服务器。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0629 3供应商确认:未知的内容决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0664网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0664最终决定:阶段性裁决:修改:建议:20030317分配:20020704类别:CF参考:VULNWATCH: 20020906快速7咨询r7 - 0005: ZMerge不安全的默认acl参考:BUGTRAQ: 20020906快速7咨询r7 - 0005: ZMerge不安全的默认acl参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=103134154721846&w=2参考:XF: zmerge-admindb-script-access(10057)参考:网址:http://www.iss.net/security_center/static/10057.php参考:报价:5101参考:网址:http://www.securityfocus.com/bid/5101默认的访问控制列表(acl)的管理数据库ZMerge 4。x和5。x为任意用户(包括匿名用户)提供了经理级别的权限,允许用户读取或修改导入/导出脚本。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0664 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0669网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0669最终决定:阶段性裁决:修改:建议:20030317分配:20020709类别:科幻参考:ATSTAKE: A071202-1参考:网址:http://www.atstake.com/research/advisories/2002/a071202 - 1. - txt参考:XF: pingtel-xpressa-web-dos(9564)参考:网址:http://www.iss.net/security_center/static/9564.phpweb界面Pingtel xpressa基于sip的ip电话通过电话1.2.5 1.2.7.4允许管理员引起拒绝服务通过修改SIP_AUTHENTICATE_SCHEME值强制认证的来电,不通知用户身份验证失败发生时。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0669 3供应商确认:未知的内容决定:包容包容:@Stake咨询的格式很难了解这是一个漏洞,或者* *的脆弱性。似乎表明,管理访问web接口是必需的,但是它并没有说是否管理员不应该允许这种有害的变化。早期的“部分”咨询表明web界面管理员可以通过其他漏洞损害如一个默认的管理员密码(可以- 2002 - 0667)。如果“剥削”这个问题只是* *所允许管理员,管理员* *应该让这种变化(即使他们导致了不良反应),那么这不是一个新的弱点,相反,它将其他漏洞的结果。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1090网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1090最终决定:阶段性裁决:修改:建议:20030317分配:20020903类别:科幻参考:确认:http://www.stafford.uklinux.net/libesmtp/ChangeLog.txt缓冲区溢出的read_smtp_response协议。c 0.8.11之前libesmtp外观允许远程SMTP服务器(1)执行任意代码通过某种反应或(2)导致拒绝服务通过服务器响应。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1090 3供应商确认:是的更新日志内容决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1120网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1120最终决定:阶段性裁决:修改:建议:20030317分配:20020910类别:科幻参考:VULNWATCH: 20020910 Foundstone实验室咨询——缓冲区溢位学者Web服务器参考:网址:http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0112.html参考:XF: savant-long-url-bo(10076)参考:网址:http://www.iss.net/security_center/static/10076.php缓冲区溢出早些时候在莎凡特3.1 Web服务器,允许远程攻击者执行任意代码通过一个HTTP GET请求。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1120 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1121网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1121最终决定:阶段性裁决:修改:建议:20030317分配:20020911类别:科幻参考:VULNWATCH: 20020912绕过SMTP内容保护的电影一个按钮参考:网址:http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0113.html参考:BUGTRAQ: 20020912绕过SMTP内容保护的电影一个按钮参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=103184267105132&w=2参考:BUGTRAQ: 20020912 MIMEDefang更新(Re:绕过SMTP内容保护)参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=103184501408453&w=2参考:BUGTRAQ: 20020912咆哮的企鹅修复“绕过SMTP内容保护的电影一个按钮“参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-09/0135.html参考:BUGTRAQ: 20020912弗兰克-威廉姆斯:绕过SMTP内容保护的电影一个按钮参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-09/0134.html参考:MISC:http://www.securiteam.com/security万博下载包news/5YP0A0K8CM.html参考:XF: smtp-content-filtering-bypass(10088)参考:网址:http://www.iss.net/security_center/static/10088.phpSMTP内容过滤引擎,包括(1)7.2,之前发给您的交换/ SMTP(2)内扫描VirusWall 3.52构建1494之前,(3)的默认配置MIMEDefang 2.21之前,和可能的其他产品,不检测支离破碎的邮件中定义RFC2046(“消息分片和重组的”)和支持在Outlook Express等产品,它允许远程攻击者绕过内容过滤,包括病毒检查,通过分散的电子邮件消息的/部分内容类型。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1121 3供应商确认:未知的内容决定:SF-CODEBASE投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1149网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1149最终决定:阶段性裁决:修改:建议:20030317分配:20020924类别:科幻参考:BUGTRAQ: 20020924信息披露与Invision板安装(fwd)参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=103290602609197&w=2参考:XF: invision-phpinfo-information-disclosure(10178)参考:网址:http://www.iss.net/security_center/static/10178.phpInvision板的安装过程表明,用户安装phpinfo。php程序的web根下,泄漏敏感信息如绝对路径名,操作系统信息,和php设置。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1149 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1150网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1150最终决定:阶段性裁决:修改:建议:20030317分配:20020924类别:科幻参考:BUGTRAQ: 20020913网络会议3.01本地RDS会话劫持参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=103228375116204&w=2参考:XF: netmeeting-rds-session-hijacking(10119)参考:网址:http://www.iss.net/security_center/static/10119.php远程桌面共享(RDS)屏幕保护保护能力微软网络会议3.01通过与物理访问SP2(4.4.3396)允许攻击者劫持通过输入某些下线或关闭远程会话序列(如热启动),取消产生的用户确认提示,如当远程用户编辑文档。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1150 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1166网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1166最终决定:阶段性裁决:修改:建议:20030317分配:20020927类别:科幻参考:VULNWATCH: 20020930 iDEFENSE安全顾问09.30.2002:缓冲区溢出的WN服务器参考:网址:http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0138.html参考:BUGTRAQ: 20020930 iDEFENSE安全顾问09.30.2002:缓冲区溢出的WN服务器参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=103340145725050&w=2参考:XF: wn-server-get-bo(10223)参考:网址:http://www.iss.net/security_center/static/10223.php参考:报价:5831参考:网址:http://www.securityfocus.com/bid/5831缓冲区溢出的约翰·弗兰克斯WN服务器通过2.0.0 1.18.2允许远程攻击者通过漫长的GET请求执行任意代码。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1166 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1338网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1338最终决定:阶段性裁决:修改:建议:20030317分配:20021203类别:科幻参考:BUGTRAQ: 20020408多个本地文件与油水界面检测问题在IE (GM # 008 - IE)参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101830175621193&w=2参考:MISC:http://security.greymagic.com/adv/gm008-ie/负载方法图表组件的Web组件(油水界面)9和10时生成一个异常指定的文件不存在,它允许远程攻击者确定本地文件的存在。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1338 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1339网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1339最终决定:阶段性裁决:修改:建议:20030317分配:20021203类别:科幻参考:BUGTRAQ: 20020408多个本地文件与油水界面检测问题在IE (GM # 008 - IE)参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101830175621193&w=2参考:MISC:http://security.greymagic.com/adv/gm008-ie/“XMLURL”属性的电子表格组件的Web组件(油水界面)10重定向,它允许远程攻击者确定本地文件基于异常的存在,或读表的XML文件。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1339 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1340网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1340最终决定:阶段性裁决:修改:建议:20030317分配:20021203类别:科幻参考:BUGTRAQ: 20020408多个本地文件与油水界面检测问题在IE (GM # 008 - IE)参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=101830175621193&w=2参考:MISC:http://security.greymagic.com/adv/gm008-ie/“ConnectionFile”属性在办公室DataSourceControl组件的Web组件(油水界面)10允许远程攻击者确定本地文件通过检测异常的存在。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1340 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1399网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1399最终决定:阶段性裁决:修改:建议:20030317分配:20030107类别:科幻参考:BUGTRAQ: 20020819 Re: @(#)莫德雷德实验室咨询0 x0001:缓冲区溢出在PostgreSQL参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=102978152712430&w=2参考:MISC:http://archives.postgresql.org/pgsql-hackers/2002-08/msg00708.php参考:MISC:http://archives.postgresql.org/pgsql-hackers/2002-08/msg00713.php未知的漏洞在PostgreSQL 7.2.1 cash_out可能还有其他功能,早些时候,甚至后来的版本7.2.3之前,与未知的影响,基于一个无效的整数输入处理为不同的数据类型,展示了使用cash_out (2)。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1399 3供应商确认:未知的内容决定:SF-LOC抽象:大量的缓冲区溢出等问题在PostgreSQL 7.2中被发现。在2002年8月x。解决这些不同的问题的过程是相当艰巨的。CD: SF-LOC可能建议结合大多数溢出到单个项目,一些安全警告是含糊不清,似乎适合创建独立的候选人单独的报告,以便供应商可能澄清他们的客户哪些问题(或没有)修复。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1459网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1459最终决定:阶段性裁决:修改:建议:20030317分配:20030205类别:科幻参考:BUGTRAQ: 20020813 L-Forum XSS和上传欺骗参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-08/0115.html参考:确认:http://sourceforge.net/tracker/download.php?group_id=53716&atid=471343&file_id=26687&aid=579278参考:确认:http://sourceforge.net/tracker/index.php?func=detail&aid=579278&group_id=53716&atid=471343参考:XF: lforum-html-message-xss(9838)参考:网址:http://www.iss.net/security_center/static/9838.php参考:报价:5462参考:网址:http://www.securityfocus.com/bid/5462早些时候在L-Forum 2.40和跨站点脚本漏洞,当“启用HTML消息”选项,允许远程攻击者通过消息字段插入任意脚本或HTML包括(1),(2)电子邮件,和(3)。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1459 3供应商确认:是的更新日志内容决定:SF-LOC抽象:CD: SF-LOC表明分割的物品如果一项出现在一个比另一个不同的版本。正如Bugtraq邮报和供应商确认,“启用HTML”选项的错误* *是固定的,但相关的错误当“启用HTML”* *并不固定。因此这些物品应该分裂。确认:供应商错误报告579278年,2002年7月9日说”主题,和电子邮件字段不是通过htmlspecialchars函数”(即洁净的XSS)和信贷Bugtraq海报。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1460网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1460最终决定:阶段性裁决:修改:建议:20030317分配:20030205类别:科幻参考:BUGTRAQ: 20020813 L-Forum XSS和上传欺骗参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-08/0115.html参考:确认:http://sourceforge.net/tracker/download.php?group_id=53716&atid=471343&file_id=26687&aid=579278参考:确认:http://sourceforge.net/tracker/index.php?func=detail&aid=579278&group_id=53716&atid=471343参考:报价:5463参考:网址:http://www.securityfocus.com/bid/5463参考:XF: lforum-upload-read-files(9839)参考:网址:http://www.iss.net/security_center/static/9839.phpL-Forum 2.40和更早的不正确验证文件是否上传或者相关的变量设置邮寄(附件、attachment_name attachment_size和attachment_type),它允许远程攻击者读取任意文件。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1460 3供应商确认:是的更新日志内容决定:SF-LOC确认:供应商错误报告579278年7月9日表示,2002年”主题,和电子邮件字段不是通过htmlspecialchars函数”(即洁净的XSS)和信贷Bugtraq海报。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1483网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1483最终决定:阶段性裁决:修改:建议:20030317分配:20030205类别:科幻参考:VULNWATCH: 20020919咨询:文件披露在DB4Web参考:网址:http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0124.html参考:BUGTRAQ: 20020917咨询:文件披露在DB4Web参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-09/0197.html参考:确认:http://www.db4web.de/download/homepage/hotfix/readme_en.txt参考:XF: db4web-db4webc-directory-traversal(10123)参考:网址:http://www.iss.net/security_center/static/10123.php参考:报价:5723参考:网址:http://www.securityfocus.com/bid/5723db4web_c db4web_c。exe程序DB4Web 3.4和3.6允许远程攻击者读取任意文件通过一个HTTP请求的参数是一个文件名的形式(1)C:(驱动器),(2)/ /绝对路径(双斜杠),或(3). .(圆点)。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1483 3供应商确认:对咨询内容的决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1503网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1503最终决定:阶段性裁决:修改:建议:20030317分配:20030205类别:科幻参考:BUGTRAQ: 20020904发展署1.2.14多个本地根妥协参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-09/0029.html参考:确认:http://www.dwd.de/AFD/txt/CHANGES参考:报价:5626参考:网址:http://www.securityfocus.com/bid/5626参考:XF: afd-multiple-binaries-bo(10036)参考:网址:http://www.iss.net/security_center/static/10036.php缓冲区溢出在文件自动分配器(变频器)1.2.14早些时候,允许本地用户获得特权通过长MON_WORK_DIR环境变量或- w (workdir)参数(1)情况,(2)afdcmd, (3) afd_ctrl, init_afd (4), (5) mafd, mon_ctrl (6), (7) show_olog,或(8)udc。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1503 3供应商确认:是的更新日志内容决定:SF-LOC, SF-EXEC确认:一条更新日志,可追溯到31.08.2002(8月31日)说“修复多个地方根利用get_afd_path()和get_mon_path()和信贷的揭露者。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论: