(提案)集群确认- 2002 b - 59岁的候选人

我提出集群确认- 2002 b为审查和编辑委员会的投票。名称:确认- 2002 b描述:罐明确供应商ack。从2002年10月到2002年12月大小:59通过修改这封邮件你可能投票的候选人投票,将它寄回给我,或通过使用CVE投票网站。中列出的候选人优先秩序。优先级1和优先级2的候选人都应对不同层次的供应商确认,所以他们应该易于检查和可以信任的,是真实的问题。总结的选票使用(“严重程度”的按升序)- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -接受——选民接受候选人提出的等待——选民对候选人没有意见修改选民想要改变一些小细节(例如参考/描述)审查-选民正在审查/研究候选人,或需要更多的信息,重塑候选人必须大幅修改,如分割或合并拒绝候选人不是“漏洞”,或重复等。1)请写你的投票在直线上,从“投票:”开始。如果你想添加评论或细节,在投票后将它们添加到线:线。2)如果你看到任何失踪的引用,请提及他们,使他们可以包括在内。在映射引用帮助极大。3)请注意,“修改”被视为一个“接受”当计算选票。 So if you don't have sufficient information for a candidate but you don't want to NOOP, use a REVIEWING. ********** NOTE ********** NOTE ********** NOTE ********** NOTE ********** Please keep in mind that your vote and comments will be recorded and publicly viewable in the mailing list archives or in other formats. ====================================================== Candidate: CAN-2002-0969 URL:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0969最终决定:阶段性裁决:修改:建议:20030317分配:20020820类别:科幻参考:VULNWATCH: 20021002 wp - 02 - 0003: MySQL当地可利用的缓冲区溢位参考:网址:http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0004.html参考:BUGTRAQ: 20021002 wp - 02 - 0003: MySQL当地可利用的缓冲区溢位参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=103358628011935&w=2参考:MISC:http://www.westpoint.ltd.uk/advisories/wp - 02 - 0003. - txt参考:确认:http://www.mysql.com/documentation/mysql/bychapter/manual_万博下载包News.html News-3.23.x参考:XF: mysql-myini-datadir-bo(10243)参考:网址:http://www.iss.net/security_center/static/10243.php参考:报价:5853参考:网址:http://www.securityfocus.com/bid/5853缓冲区溢出在MySQL 3.23.50, 4.0 beta 4.02之前,可能还有其他平台,允许本地用户执行任意代码通过一个长在我的“datadir”参数。ini初始化文件的权限在Windows允许完全控制所有人组。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0969 1供应商确认:未知的确认:变更为“变化释放3.23.50(2002年4月21日)”表示:“固定缓冲区溢位问题如果有人mysqld datadir参数指定了太长时间。”投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0990网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0990最终决定:阶段性裁决:修改:建议:20030317分配:20020827类别:科幻参考:BUGTRAQ: 20021014多个赛门铁克防火墙安全网络服务器超时DoS参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=103463869503124&w=2参考:确认:http://securityresponse.symantec.com/avcenter/security/Content/2002.10.11.html参考:报价:5958参考:网址:http://www.securityfocus.com/bid/5958参考:XF: simple-webserver-url-dos(10364)参考:网址:http://www.iss.net/security_center/static/10364.php赛门铁克企业防火墙的web代理组件(海基会)6.5.2通过7.0,猛禽防火墙6.5和6.5.3,迅猛龙,和赛门铁克网关安全允许远程攻击者造成拒绝服务(连接资源枯竭)通过多个连接请求域的DNS服务器无响应或不存在,它会生成一个超时。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0990 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1118网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1118最终决定:阶段性裁决:修改:建议:20030317分配:20020909类别:科幻参考:VULNWATCH: 20021009 r7 - 0006: Oracle 8 / 9我听众SERVICE_CURLOAD拒绝服务引用:网址:http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0017.html参考:确认:http://otn.oracle.com/deploy/security/pdf/2002alert42rev1.pdf参考:XF: oracle-net-services-dos(10283)参考:网址:http://www.iss.net/security_center/static/10283.phpTNS侦听器在Oracle为Oracle 9 i 9.2网络服务。9.0 x和。我8.1 x, Oracle 8。x,允许远程攻击者造成拒绝服务(挂起或崩溃)通过SERVICE_CURLOAD命令。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1118 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1178网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1178最终决定:阶段性裁决:修改:建议:20030317分配:20021003类别:科幻参考:BUGTRAQ: 20021002 wp - 02 - 0011: Jetty CGIServlet任意命令执行参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=103358725813039&w=2参考:VULNWATCH: 20021002 wp - 02 - 0011: Jetty CGIServlet任意命令执行参考:MISC:http://www.westpoint.ltd.uk/advisories/wp - 02 - 0011. - txt参考:确认:http://groups.yahoo.com/group/jetty-announce/message/45参考:XF: jetty-cgiservlet-directory-traversal(10246)参考:网址:http://www.iss.net/security_center/static/10246.php参考:报价:5852参考:网址:http://www.securityfocus.com/bid/5852目录遍历脆弱性的CGIServlet Jetty HTTP服务器之前4.1.0允许远程攻击者执行任意命令通过. .圆点反斜杠(\)序列在一个HTTP请求到目录目录。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1178 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1197网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1197最终决定:阶段性裁决:修改:建议:20030317分配:20021009类别:科幻参考:BUGTRAQ: 20021001 (BUGZILLA)安全咨询参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=103349804226566&w=2参考:确认:http://bugzilla.mozilla.org/show_bug.cgi?id=163024参考:XF: bugzilla-emailappend-command-injection(10234)参考:网址:http://www.iss.net/security_center/static/10234.phpbugzilla_email_append。pl Bugzilla 2.14。2.16 x 2.14.4之前,。x 2.16.1之前,允许远程攻击者执行任意代码通过shell元字符processmail系统调用。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1197 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1198网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1198最终决定:阶段性裁决:修改:建议:20030317分配:20021009类别:科幻参考:BUGTRAQ: 20021001 (BUGZILLA)安全咨询参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=103349804226566&w=2参考:确认:http://bugzilla.mozilla.org/show_bug.cgi?id=165221参考:XF: bugzilla-email-sql-injection(10235)参考:网址:http://www.iss.net/security_center/static/10235.phpBugzilla 2.16。x 2.16.1之前不正确过滤撇号的电子邮件地址在创建帐户的过程中,它允许远程攻击者执行任意SQL通过SQL注入攻击。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1198 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1244网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1244最终决定:阶段性裁决:修改:建议:20030317分配:20021101类别:科幻/ CF / MP / SA / /未知参考:BUGTRAQ: 20021104 iDEFENSE安全顾问11.04.02a:巴勃罗FTP服务器DoS脆弱性参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=103642642802889&w=2参考:VULNWATCH: 20021104 iDEFENSE安全顾问11.04.02a:巴勃罗FTP服务器DoS脆弱性参考:网址:http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0057.html参考:确认:http://www.pablovandermeer.nl/ftpserver.zip参考:XF: pablo-ftp-username-dos(10532)参考:网址:http://www.iss.net/security_center/static/10532.php参考:报价:6099参考:网址:http://www.securityfocus.com/bid/6099参考:XF: pablo-ftp-username-dos(10532)参考:网址:http://www.iss.net/security_center/static/10532.php格式字符串漏洞Pablo FTP服务器1.5、1.3,可能还有其他版本,允许远程攻击者可能导致拒绝服务和执行任意代码通过用户命令格式字符串。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1244 1供应商确认:是的changelog承认:“whatsnew。txt”文件包括一个项目1.51版本,日期11/01/2002,“固定安全漏洞:发送% n % n % n(和其他c格式字符串)c·拉希德系统(由于www.idefense.com)(大参考)。”投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1264网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1264最终决定:阶段性裁决:修改:建议:20030317分配:20021104类别:科幻参考:BUGTRAQ: 20021104甲骨文iSQL * +缓冲区溢出漏洞(# NISR04112002)参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=103643298712284&w=2参考:VULNWATCH: 20021104甲骨文iSQL * +缓冲区溢出漏洞(# NISR04112002)参考:网址:http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0060.html参考:确认:http://technet.oracle.com/deploy/security/pdf/2002alert46rev1.pdf参考:XF: oracle-isqlplus-userid-bo(10524)参考:网址:http://www.iss.net/security_center/static/10524.php参考:报价:6085参考:网址:http://www.securityfocus.com/bid/6085缓冲区溢出在Oracle iSQL * + Oracle 9数据库的web应用程序服务器允许远程攻击者执行任意代码通过一个长isqlplus USERID参数的URL。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1264 1供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1266网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1266最终决定:阶段性裁决:修改:建议:20030317分配:20021104类别:科幻参考:确认:http://www.info.apple.com/usen/security/security_updates.htmlMac OS X 10.2.2允许本地用户获得特权安装磁盘映像文件上创建另一个系统,即“本地用户特权高程通过磁盘映像文件。”Analysis ---------------- ED_PRI CAN-2002-1266 1 Vendor Acknowledgement: yes advisory Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-1267 URL:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1267最终决定:阶段性裁决:修改:建议:20030317分配:20021104类别:科幻参考:确认:http://www.info.apple.com/usen/security/security_updates.htmlMac OS X 10.2.2允许远程攻击者造成拒绝服务通过访问CUPS打印网络管理实用程序,又名“CUPS打印Web管理远程访问”。Analysis ---------------- ED_PRI CAN-2002-1267 1 Vendor Acknowledgement: yes advisory Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-1268 URL:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1268最终决定:阶段性裁决:修改:建议:20030317分配:20021104类别:科幻参考:确认:http://www.info.apple.com/usen/security/security_updates.htmlMac OS X 10.2.2允许本地用户获得特权通过安装ISO 9600 CD,又名“用户特权高程通过安装一个CD ISO 9600。”Analysis ---------------- ED_PRI CAN-2002-1268 1 Vendor Acknowledgement: yes advisory Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-1270 URL:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1270最终决定:阶段性裁决:修改:建议:20030317分配:20021104类别:科幻参考:确认:http://www.info.apple.com/usen/security/security_updates.htmlMac OS X 10.2.2允许本地用户读文件,只允许写访问通过map_fd()系统调用马赫。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1270 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1283网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1283最终决定:阶段性裁决:修改:建议:20030317分配:20021112类别:科幻参考:BUGTRAQ: 20021111这- 2002 - 2963651 - iManager (eMFrame)缓冲区溢位参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=103703760321408&w=2参考:确认:http://support.novell.com/servlet/tidfinder/2963651参考:报价:6154参考:网址:http://www.securityfocus.com/bid/6154在Novell iManager缓冲区溢出(eMFrame) 1.5允许远程攻击者通过身份验证请求导致拒绝服务有着悠久专有名称(DN)属性。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1283 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1284网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1284最终决定:阶段性裁决:修改:建议:20030317分配:20021112类别:科幻参考:BUGTRAQ: 20021110 GLSA: kgpg参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=103702926611286&w=2参考:确认:http://devel-home.kde.org/ ~ kgpg / bug.html向导在KGPG 0.6通过0.8.2不正确提供密码gpg当创建新的钥匙,导致密钥创建一个空的密码和允许本地攻击者窃取密钥,如果他们可以阅读。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1284 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1349网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1349最终决定:阶段性裁决:修改:建议:20030317分配:20021210类别:科幻参考:BUGTRAQ: 20021210无节制的缓冲区在趋势科技参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=103953822705917&w=2参考:MISC:http://www.texonet.com/advisories/texonet - 20021210. - txt参考:确认:http://kb.trendmicro.com/solutions/solutionDetail.asp?solutionId=12982在pop3trap缓冲区溢出。exe趋势科技2000、2002和2003年允许本地用户执行任意代码通过一个长输入字符串TCP端口110 (POP3)。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1349 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1381网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1381最终决定:阶段性裁决:修改:建议:20030317分配:20021216类别:科幻参考:BUGTRAQ: 20021204本地根漏洞中发现进出口4。x (3. x)参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=103903403527788&w=2参考:确认:http://groups.yahoo.com/group/exim-users/message/42358参考:BUGTRAQ: 20021216 GLSA:进出口参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=104006219018664&w=2格式字符串漏洞在守护进程。为进出口4 c。通过4.10 x,和3。通过3.36 x,允许进出口管理用户执行任意代码通过修改pid_file_path价值。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1381 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1382网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1382最终决定:阶段性裁决:修改:建议:20030317分配:20021217类别:科幻参考:BUGTRAQ: 20021217 Macromedia Flash冲击波畸形头溢出# 2参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=104014220727109&w=2参考:VULNWATCH: 20021217 Macromedia Flash冲击波畸形头溢出# 2参考:网址:http://marc.theaimsgroup.com/?l=vulnwatch&m=104013370116670参考:确认:http://www.macromedia.com/v1/handlers/index.cfm?ID=23569Macromedia Flash Player 6.0.65.0之前允许远程攻击者执行任意代码通过特定的数据头冲击波Flash文件格式的文件(SWF),一个不同的问题比- 2002 - 0846。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1382 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1385网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1385最终决定:阶段性裁决:修改:建议:20030317分配:20021219类别:科幻参考:BUGTRAQ: 20021218 Openwebmail 1.71远程根妥协参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=104031696120743&w=2参考:BUGTRAQ: 20021219(修复)Openwebmail 1.71远程根妥协参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=104032263328026&w=2参考:确认:http://sourceforge.net/forum/forum.php?thread_id=782605&forum_id=108435早些时候在打开邮箱1.81和openwebmail_init允许本地用户攻击者执行任意代码通过. .(点点)序列在一个登录名,比如名称为openwebmail-abook sessionid提供的参数。pl,用于发现配置文件指定额外的代码执行。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1385 1供应商确认:是的咨询确认:宣布页面打开电子邮件包含一个条目“安全咨询20021219,”描述问题和信贷Bugtraq海报。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1391网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1391最终决定:阶段性裁决:修改:建议:20030317分配:20030106类别:科幻参考:确认:http://search.alphanet.ch/cgi-bin/search.cgi?msgid=20021125142338.E12094%40greenie.muc.de&max_results=1&type=long&domain=ml-mgetty缓冲区溢出的cnd-program mgetty 1.1.29之前允许远程攻击者可能导致拒绝服务和执行任意代码通过一个来电显示字符串长CallerName论点。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1391 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1392网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1392最终决定:阶段性裁决:修改:建议:20030317分配:20030106类别:科幻/ CF / MP / SA / /未知参考:确认:http://search.alphanet.ch/cgi-bin/search.cgi?msgid=20021125142338.E12094%40greenie.muc.de&max_results=1&type=long&domain=ml-mgettyfaxspool mgetty 1.1.29之前使用一个人人可写的spool目录外向的传真,它允许本地用户修改传真传输的特权。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1392 1供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1523网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1523最终决定:阶段性裁决:修改:建议:20030317分配:20030223类别:科幻参考:BUGTRAQ: 20021013目录遍历在丹尼尔Arenz迷你服务器参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-10/0181.html参考:确认:http://www.da-home.de/miniserver/update.html参考:XF: mini-server-directory-traversal(10366)参考:网址:http://www.iss.net/security_center/static/10366.php目录遍历脆弱性丹尼尔Arenz微型服务器2.1.6允许远程攻击者读取任意文件通过(1). .圆点斜杠/()或(2). .圆点反斜杠(\)序列。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1523 1供应商确认:是的、确认:更新日志包括一项10月14日,2002,说(在德国)“Sicherheits更新:Es是错的较多m�glich后陆窝根文件夹祖茂堂gelangen。”Google translates this to "Security update: It is not to be arrived any longer possible behind the root file," which indicates that a directory traversal vulnerability is being addressed. Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-1547 URL:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1547最终决定:阶段性裁决:修改:建议:20030317分配:20030304类别:科幻参考:BUGTRAQ: 20021101防火墙SSH1 CRC32补偿拒绝服务引用:网址:http://archives.neohapsis.com/archives/bugtraq/2002-10/0443.html参考:VULNWATCH: 20021101防火墙SSH1 CRC32补偿拒绝服务引用:网址:http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0053.html参考:VULNWATCH: 20021101(修正)防火墙SSH1 CRC32补偿拒绝服务引用:网址:http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0054.html参考:BUGTRAQ: 20021101(修正)防火墙SSH1 CRC32补偿拒绝服务引用:网址:http://archives.neohapsis.com/archives/bugtraq/2002-10/0446.html参考:确认:http://www.netscreen.com/support/alerts/11_06_02.html参考:XF: netscreen-ssh-dos(10528)参考:网址:http://www.iss.net/security_center/static/10528.php防火墙运行ScreenOS 4.0.0r6早些时候,允许远程攻击者造成拒绝服务通过一个畸形的SSH包安全命令Shell (SCS)管理界面,通过某些CRC32利用作为证明,不同的漏洞比cve - 2001 - 0144。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1547 1供应商确认:是的咨询确认:防火墙的顾问说,“网屏客户的一份报告证实,SSHv1 CRC32攻击可以妥协的能力来管理防火墙设备和/或迫使设备重新启动“投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1540网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1540最终决定:阶段性裁决:修改:建议:20030317分配:20030225类别:科幻参考:BUGTRAQ: 20021024 DH团队:诺顿杀毒软件企业版特权升级参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-10/0346.html参考:BUGTRAQ: 20021025 RE: DH团队:诺顿杀毒软件企业版特权升级,http://online.securityfocus.com/archive/1/296979/2002-10-22/2002-10-28/0参考网址:http://archives.neohapsis.com/archives/bugtraq/2002-10/0369.html参考:XF: nav-winhlp32-gain-privileges(10475)参考:网址:http://www.iss.net/security_center/static/10475.php诺顿杀毒软件公司赛门铁克7.5版客户端。x v7.5.1构建之前62和7.6。x 7.6.1构建35运行之前winhlp32与特权,它允许本地用户获得特权winhlp32通过使用某些功能。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1540 2供应商确认:是的跟踪投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1552网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1552最终决定:阶段性裁决:修改:建议:20030317分配:20030304类别:科幻参考:BUGTRAQ: 20021112这- 2002 - 2963827 -远程管理安全问题- NW5.1参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=103712790808781&w=2参考:BUGTRAQ: 20021112这- 2002 - 2963767 -远程管理安全问题——eDir 8.6.2参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=103712498905027&w=2Novell eDirectory eDir 8.6.2和网络5.1 eDir 85。x允许用户过期密码获得不当从远程登录的权限,当经理。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1552 2供应商确认:是的咨询投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0386网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0386最终决定:阶段性裁决:修改:建议:20030317分配:20020522类别:科幻参考:ATSTAKE: A102802-1参考:网址:http://www.atstake.com/research/advisories/2002/a102802 - 1. - txt参考:确认:http://otn.oracle.com/deploy/security/pdf/2002alert43rev1.pdfOracle Web缓存管理模块的Oracle9iAS我应用程序套件(9)9.0.2允许远程攻击者造成拒绝服务(崩溃)通过(1)一个HTTP GET请求包含一个“. .”(dot dot) sequence, or (2) a malformed HTTP GET request with a chunked Transfer-Encoding with missing data. Analysis ---------------- ED_PRI CAN-2002-0386 3 Vendor Acknowledgement: yes advisory Content Decisions: SF-LOC Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-0705 URL:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0705最终决定:阶段性裁决:修改:建议:20030317分配:20020718类别:科幻参考:BUGTRAQ: 20021002 wp - 02 - 0005:多个漏洞SuperScout Web服务器报告参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=103359690824103&w=2网络报告服务器SurfControl SuperScout WebFilter scwebusers“用户名和密码文件存储在一个Web访问的目录,它允许远程攻击者获得有效的用户名和密码破解。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0705 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0706网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0706最终决定:阶段性裁决:修改:建议:20030317分配:20020718类别:科幻/ CF / MP / SA / /未知参考:BUGTRAQ: 20021002 wp - 02 - 0005:多个漏洞SuperScout Web服务器报告参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=103359690824103&w=2UserManager。js的Web报表服务器SurfControl SuperScout WebFilter为管理员使用弱加密功能,它允许远程攻击者解密管理密码使用硬编码的关键在一个Javascript函数。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0706 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0707网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0707最终决定:阶段性裁决:修改:建议:20030317分配:20020718类别:科幻/ CF / MP / SA / /未知参考:BUGTRAQ: 20021002 wp - 02 - 0005:多个漏洞SuperScout Web服务器报告参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=103359690824103&w=2网络报告服务器SurfControl SuperScout WebFilter允许远程攻击者造成拒绝服务(CPU消耗)通过大的GET请求,可能由于缓冲区溢出。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0707 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0708网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0708最终决定:阶段性裁决:修改:建议:20030317分配:20020718类别:科幻/ CF / MP / SA / /未知参考:BUGTRAQ: 20021002 wp - 02 - 0005:多个漏洞SuperScout Web服务器报告参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=103359690824103&w=2目录遍历网络报道服务器中的漏洞SurfControl SuperScout WebFilter允许远程攻击者读取任意文件通过一个HTTP请求包含…(3点)序列。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0708 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 0709网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 0709最终决定:阶段性裁决:修改:建议:20030317分配:20020718类别:科幻/ CF / MP / SA / /未知参考:BUGTRAQ: 20021002 wp - 02 - 0005:多个漏洞SuperScout Web服务器报告参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=103359690824103&w=2Web报表服务器的SQL注入漏洞SurfControl SuperScout WebFilter允许远程攻击者执行任意SQL查询通过SimpleBar RunReport选项。dll,可能还有其他dll。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 0709 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1191网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1191最终决定:阶段性裁决:修改:建议:20030317分配:20021008类别:科幻参考:BUGTRAQ: 20021016 iDEFENSE安全顾问10.16.02:拒绝服务在Sabre桌面预订Windows客户端参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=103478372603106&w=2参考:MISC:http://www.idefense.com/advisory/10.16.02.txt参考:XF: sabre-sabserv-client-dos(10378)参考:网址:http://www.iss.net/security_center/static/10378.phpSabserv客户机组件在Sabre桌面保留软件4.2 4.4允许远程攻击者通过畸形引起拒绝服务输入TCP端口1001。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1191 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1209网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1209最终决定:阶段性裁决:修改:建议:20030317分配:20021014类别:科幻参考:VULNWATCH: 20021024 iDEFENSE安全顾问10.24.02:目录遍历SolarWinds TFTP服务器参考:网址:http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0044.html参考:MISC:http://www.idefense.com/advisory/10.24.02.txt目录遍历脆弱性SolarWinds 5.0.55 TFTP服务器,甚至之前,允许远程攻击者读取任意文件通过“. .\”(圆点反斜杠)序列在一个GET请求。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1209 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1210网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1210最终决定:阶段性裁决:修改:建议:20030317分配:20021014类别:科幻参考:VULNWATCH: 20021119 iDEFENSE安全顾问11.19.02b: Eudora脚本执行漏洞参考:网址:http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0079.html参考:MISC:http://www.idefense.com/advisory/11.19.02b.txt高通Eudora 5.1.1, 5.2,可能还有其他版本邮件附件存储在一个可预测的位置,它允许远程攻击者读取任意文件通过一个链接,将附件包含恶意脚本加载到一个框架,然后在本地浏览器上下文中执行脚本。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1210 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1211网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1211最终决定:阶段性裁决:修改:建议:20030317分配:20021014类别:科幻参考:MISC:http://www.idefense.com/advisory/10.31.02b.txt参考:BUGTRAQ: 20021101 iDEFENSE安全顾问10.31.02b:普罗米修斯应用程序框架代码注入参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=103616306403031&w=2参考:VULNWATCH: 20021101 iDEFENSE安全顾问10.31.02b:普罗米修斯应用程序框架代码注入参考:网址:http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0050.html参考:XF: prometheus-php-file-include(10515)参考:网址:http://www.iss.net/security_center/static/10515.php参考:报价:6087参考:网址:http://www.securityfocus.com/bid/60876.0和更早的普罗米修斯允许远程攻击者通过修改PHP代码执行任意PROMETHEUS_LIBRARY_BASE指向代码存储在远程服务器上,然后再用于(1)指数。php,(2)安装。php,或(3)各种test_ *。php脚本。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1211 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1217网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1217最终决定:阶段性裁决:修改:建议:20030317分配:20021015类别:科幻参考:BUGTRAQ: 20021015 Internet Explorer:诺曼底登陆参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=103470310417576&w=2参考:NTBUGTRAQ: 20021015 Internet Explorer:诺曼底登陆参考:网址:http://marc.theaimsgroup.com/?l=ntbugtraq&m=103470202010570&w=2参考:VULNWATCH: 20021015 Internet Explorer:诺曼底登陆参考:网址:http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0024.html参考:MISC:http://security.greymagic.com/adv/gm011-ie/参考:XF: ie-iframe-document-script-execution(10371)参考:网址:http://www.iss.net/security_center/static/10371.php满足于脚本漏洞在浏览器中使用Internet Explorer 5.5和6.0允许远程攻击者执行任意代码,读取任意文件,或进行其他未经授权的活动通过脚本访问文档属性,它绕过<框架>和< iframe >域限制。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1217 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1228网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1228最终决定:阶段性裁决:修改:建议:20030317分配:20021020类别:科幻参考:确认:http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F47815&zone_32=category%3Asecurity参考:BUGTRAQ: 20021017 NFS拒绝服务从太阳参考咨询:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=103487058823193&w=2参考:XF: solaris-nfs-lockd-dos(10394)参考:网址:http://www.iss.net/security_center/static/10394.php未知的漏洞在NFS在Solaris 2.5.1 Solaris 9允许NFS客户端引起拒绝服务,通过杀lockd守护进程。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1228 3供应商确认:对咨询内容的决定:模糊的抽象:咨询太模糊,知道这是同样的问题cve - 2000 - 0508。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1229网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1229最终决定:阶段性裁决:修改:建议:20030317分配:20021020类别:科幻参考:确认:http://support.avaya.com/japple/css/japple?PAGE=avaya.css.OpenPage&temp.template.name=Avaya_P580_P882_Undocumented参考:BUGTRAQ: 20021015非法账户漏洞亚美亚P550R / P580 / P880 / P882参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=103470243012971&w=2参考:XF: avaya-cajun-default-passwords(10374)参考:网址:http://www.iss.net/security_center/static/10374.php亚美亚法人后裔开关P880, P882、P580 P550R 5.2.14早些时候,包含非法账户manuf(1)和(2)诊断接头使用默认密码,它允许远程攻击者获得特权。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1229 3供应商确认:对咨询内容的决定:CF-PASS投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1236网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1236最终决定:阶段性裁决:修改:建议:20030317分配:20021024类别:科幻参考:MISC:http://www.idefense.com/advisory/10.31.02a.txt参考:BUGTRAQ: 20021101 iDEFENSE安全顾问10.31.02a:拒绝服务漏洞在路由器BEFSR41 EtherFast电缆/ DSL路由器参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=103616324103171&w=2参考:VULNWATCH: 20021101 iDEFENSE安全顾问10.31.02a:拒绝服务漏洞在路由器BEFSR41 EtherFast电缆/ DSL路由器参考:网址:http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0049.html参考:XF: linksys-etherfast-gozila-dos(10514)参考:网址:http://www.iss.net/security_center/static/10514.php参考:报价:6086参考:网址:http://www.securityfocus.com/bid/6086路由器的远程管理web服务器BEFSR41 EtherFast电缆/ DSL路由器固件前1.42.7允许远程攻击者造成拒绝服务(崩溃)通过一个HTTP请求Gozila。cgi不带任何参数。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1236 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1239网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1239最终决定:阶段性裁决:修改:建议:20030317分配:20021101类别:科幻参考:BUGTRAQ: 20021108 iDEFENSE安全顾问11.08.02b: Non-Explicit路径脆弱性在QNX Neutrino RTOS参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=103679043232178&w=2参考:VULNWATCH: 20021108 iDEFENSE安全顾问11.08.02b: Non-Explicit路径脆弱性在QNX Neutrino RTOS参考:网址:http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0066.html参考:MISC:http://www.idefense.com/advisory/11.08.02b.txt参考:XF: qnx-rtos-gain-privileges(10564)参考:网址:http://www.iss.net/security_center/static/10564.php参考:报价:6146参考:网址:http://www.securityfocus.com/bid/6146QNX Neutrino RTOS 6.2.0使用PATH环境变量来找到并执行cp程序在操作提高了特权,它允许本地用户获得特权通过修改路径指向恶意cp程序。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1239 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1248网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1248最终决定:阶段性裁决:修改:建议:20030317分配:20021101类别:科幻参考:BUGTRAQ: 20021104 iDEFENSE安全顾问11.04.02b:拒绝服务漏洞在Xeneo Web服务器参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=103642597302308&w=2参考:MISC:http://www.idefense.com/advisory/11.04.02b.txt参考:XF: xeneo-php-dos(10534)参考:网址:http://www.iss.net/security_center/static/10534.php参考:报价:6098参考:网址:http://www.securityfocus.com/bid/6098Web服务器解决方案Xeneo 2.1.0.0北部、2.0.759.6和其他版本之前2.1.5允许远程攻击者造成拒绝服务(崩溃)通过GET请求URI“%”。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1248 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1269网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1269最终决定:阶段性裁决:修改:建议:20030317分配:20021104类别:科幻参考:确认:http://www.info.apple.com/usen/security/security_updates.html未知的漏洞在Mac OS X 10.2.2 NetInfo Manager应用程序允许本地用户访问文件系统的限制部分。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1269 3供应商确认:对咨询内容的决定:模糊的投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1286网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1286最终决定:阶段性裁决:修改:建议:20030317分配:20021113类别:科幻参考:BUGTRAQ: 20021108技术应用补丁的Java女士漏洞信息参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=103682630823080&w=2参考:NTBUGTRAQ: 20021108技术应用补丁的Java女士漏洞信息参考:网址:http://marc.theaimsgroup.com/?l=ntbugtraq&m=103684360031565&w=2微软的Java实现,用于Internet Explorer、允许远程攻击者窃取cookie和执行脚本在不同的安全上下文通过一个URL包含一个冒号在域部分,这是不正确地解析和加载applet从恶意站点的安全上下文内被用户访问的网站。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1286 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1287网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1287最终决定:阶段性裁决:修改:建议:20030317分配:20021113类别:科幻参考:BUGTRAQ: 20021108技术应用补丁的Java女士漏洞信息参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=103682630823080&w=2参考:NTBUGTRAQ: 20021108技术应用补丁的Java女士漏洞信息参考:网址:http://marc.theaimsgroup.com/?l=ntbugtraq&m=103684360031565&w=2在微软的Java实现基于堆栈缓冲区溢出,用于Internet Explorer、允许远程攻击者造成拒绝服务通过长类名(1)班。forName或(2)ClassLoader.loadClass。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1287 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1288网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1288最终决定:阶段性裁决:修改:建议:20030317分配:20021113类别:科幻参考:BUGTRAQ: 20021108技术应用补丁的Java女士漏洞信息参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=103682630823080&w=2参考:NTBUGTRAQ: 20021108技术应用补丁的Java女士漏洞信息参考:网址:http://marc.theaimsgroup.com/?l=ntbugtraq&m=103684360031565&w=2微软的Java实现,用于Internet Explorer、允许远程攻击者决定通过getAbsolutePath Internet Explorer进程的当前目录()方法在一个文件中()调用。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1288 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1289网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1289最终决定:阶段性裁决:修改:建议:20030317分配:20021113类别:科幻参考:BUGTRAQ: 20021108技术应用补丁的Java女士漏洞信息参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=103682630823080&w=2参考:NTBUGTRAQ: 20021108技术应用补丁的Java女士漏洞信息参考:网址:http://marc.theaimsgroup.com/?l=ntbugtraq&m=103684360031565&w=2微软的Java实现,用于Internet Explorer、允许远程攻击者读取进程内存限制,造成拒绝服务(崩溃),并可能通过getNativeServices函数执行任意代码,com.ms.awt.peer的创建一个实例。INativeServices (INativeServices)类的方法不验证内存地址作为参数传递。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1289 3供应商确认:未知的内容决定:SF-LOC抽象:可能可以- 2002 - 1289 - 2002 - 1290应该可以结合,作为潜在的问题可能是INativeServices暴露方法不可信的实体。然而,没有任何公开评论微软2002/11/12,但是目前尚不清楚这些攻击是否应当被视为是相同的。因为可以- 2002 - 1289处理内存地址,可能绕过Java沙箱模型本身,它似乎是合理的分离从- 2002 - 1290。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1290网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1290最终决定:阶段性裁决:修改:建议:20030317分配:20021113类别:科幻/ CF / MP / SA / /未知参考:BUGTRAQ: 20021108技术应用补丁的Java女士漏洞信息参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=103682630823080&w=2参考:NTBUGTRAQ: 20021108技术应用补丁的Java女士漏洞信息参考:网址:http://marc.theaimsgroup.com/?l=ntbugtraq&m=103684360031565&w=2微软的Java实现,用于Internet Explorer、允许远程攻击者读取和修改剪贴板的内容通过访问applet(2)和(1)ClipBoardGetText ClipBoardSetText INativeServices类的方法。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1290 3供应商确认:未知的内容决定:SF-LOC抽象:可能可以- 2002 - 1289 - 2002 - 1290应该可以结合,作为潜在的问题可能是INativeServices暴露方法不可信的实体。然而,没有任何公开评论微软2002/11/12,但是目前尚不清楚这些攻击是否应当被视为是相同的。因为可以- 2002 - 1289处理内存地址,可能绕过Java沙箱模型本身,它似乎是合理的分离从- 2002 - 1290。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1291网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1291最终决定:阶段性裁决:修改:建议:20030317分配:20021113类别:科幻参考:BUGTRAQ: 20021108技术应用补丁的Java女士漏洞信息参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=103682630823080&w=2参考:NTBUGTRAQ: 20021108技术应用补丁的Java女士漏洞信息参考:网址:http://marc.theaimsgroup.com/?l=ntbugtraq&m=103684360031565&w=2微软的Java实现,用于Internet Explorer、允许远程攻击者读取任意本地文件和通过一个applet标签网络共享代码库设置为“文件:/ / % 00”(null字符)的URL。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1291 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1293网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1293最终决定:阶段性裁决:修改:建议:20030317分配:20021113类别:科幻参考:BUGTRAQ: 20021108技术应用补丁的Java女士漏洞信息参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=103682630823080&w=2参考:NTBUGTRAQ: 20021108技术应用补丁的Java女士漏洞信息参考:网址:http://marc.theaimsgroup.com/?l=ntbugtraq&m=103684360031565&w=2微软的Java实现,用于Internet Explorer,提供了一个公共load0 CabCracker类()方法(com.ms.vm.loader.CabCracker),它允许远程攻击者绕过安全检查所执行的load()方法。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1293 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1294网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1294最终决定:阶段性裁决:修改:建议:20030317分配:20021113类别:科幻参考:BUGTRAQ: 20021108技术应用补丁的Java女士漏洞信息参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=103682630823080&w=2参考:NTBUGTRAQ: 20021108技术应用补丁的Java女士漏洞信息参考:网址:http://marc.theaimsgroup.com/?l=ntbugtraq&m=103684360031565&w=2微软的Java实现,用于Internet Explorer,可以提供HTML对象引用通过Javascript applet,它允许远程攻击者造成拒绝服务(崩溃由于非法内存访问)和可能进行其他未经授权的活动通过一个applet,它使用这些引用访问微软专有的方法。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1294 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1308网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1308最终决定:阶段性裁决:修改:建议:20030317分配:20021115类别:科幻参考:BUGTRAQ: 20021114网景/ Mozilla:利用堆腐败通过jar: URI处理程序。参考网址:http://marc.theaimsgroup.com/?l=bugtraq&m=103730181813075&w=2参考:MISC:http://bugzilla.mozilla.org/show_bug.cgi?id=157646基于堆的缓冲区溢出在Netscape和Mozilla允许远程攻击者执行任意代码通过一个jar: URL引用一个畸形的. jar文件,在减压溢出缓冲区。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1308 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1315网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1315最终决定:阶段性裁决:修改:建议:20030317分配:20021120类别:科幻参考:VULNWATCH: 20021118 iPlanet网络服务器,远程根妥协参考:网址:http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0078.html参考:BUGTRAQ: 20021119 iPlanet网络服务器、远程根妥协参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=103772308030269&w=2参考:MISC:http://www.ngsec.com/docs/advisories/ngsec - 2002 - 4. - txt跨站点脚本(XSS)脆弱性iPlanet管理服务器的网络服务器4。x, SP11,允许远程攻击者执行web脚本或HTML作为iPlanet管理员通过注入所需的脚本错误日志,并可能升级特权使用XSS漏洞与另一个问题(可以- 2002 - 1316)。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1315 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1316网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1316最终决定:阶段性裁决:修改:建议:20030317分配:20021120类别:科幻/ CF / MP / SA / /未知参考:VULNWATCH: 20021118 iPlanet网络服务器,远程根妥协参考:网址:http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0078.html参考:BUGTRAQ: 20021119 iPlanet网络服务器、远程根妥协参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=103772308030269&w=2参考:MISC:http://www.ngsec.com/docs/advisories/ngsec - 2002 - 4. - txt在管理服务器importInfo iPlanet网络服务器4。x, SP11,允许网络管理员执行任意命令dir参数通过shell元字符,并可能允许远程攻击者利用此漏洞通过一个单独的XSS问题(可以- 2002 - 1315)。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1316 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1321网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1321最终决定:阶段性裁决:修改:建议:20030317分配:20021126类别:科幻参考:BUGTRAQ: 20021122 Mulitple缓冲区溢出条件RealPlayer / RealOne (# NISR22112002)参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=103808645120764&w=2参考:确认:http://service.real.com/help/faq/security/bufferoverrun_player.html多个缓冲区溢出RealOne和RealPlayer允许远程攻击者通过(1)执行任意代码同步多媒体集成语言(SMIL)文件和参数,(2)一个长长的rtsp文件名:/ /请求,如从.m3u文件,或(3)某些“现在玩”选项与长文件名下载文件。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1321 3供应商确认:对咨询内容的决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1322网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1322最终决定:阶段性裁决:修改:建议:20030317分配:20021126类别:科幻参考:BUGTRAQ: 20021122 ClearCase DoS vulnerabilty参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=103808239618238&w=2Rational ClearCase 4.1, 2002.05,可能还有其他版本允许远程攻击者造成拒绝服务(崩溃)通过特定的端口371包,例如通过nmap。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1322 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1334网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1334最终决定:阶段性裁决:修改:建议:20030317分配:20021127类别:科幻参考:MISC:http://www.securitytracker.com/alerts/2002/Nov/1005681.html跨站点脚本(XSS)脆弱性BizDesign ImageFolio 3.01和更早的允许远程攻击者执行任意web脚本作为其他用户通过(1)直接在ImageFolio参数。cgi,或(2)nph-build.cgi。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1334 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1380网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1380最终决定:阶段性裁决:修改:建议:20030317分配:20021216类别:科幻参考:VULNWATCH: 20021217剃须刀咨询:Linux 2.2。xx /proc/< pid > / mem mmap()脆弱性参考:BUGTRAQ: 20021219 tslsa - 2002 - 0083 -内核参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=104033054204316&w=22.2 Linux内核。x允许本地用户造成拒绝服务(崩溃)用mmap()函数与PROT_READ参数通过/proc/pid/mem non-readable内存页面的访问接口。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1380 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1386网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1386最终决定:阶段性裁决:修改:建议:20030317分配:20021223类别:科幻参考:BUGTRAQ: 20021128 TracerouteNG -永无止境的故事参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=103849968732634&w=2缓冲区溢出在traceroute-nanog(又名traceroute-ng)允许本地用户通过长主机名参数执行任意代码。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1386 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1387网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1387最终决定:阶段性裁决:修改:建议:20030317分配:20021223类别:科幻参考:BUGTRAQ: 20021128 TracerouteNG -永无止境的故事参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=103849968732634&w=2喷雾模式traceroute-nanog(又名traceroute-ng)允许本地用户覆盖任意内存位置通过一个数组下标溢出使用nprobes(探针)的论点。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1387 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1515网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1515最终决定:阶段性裁决:修改:建议:20030317分配:20030223类别:科幻参考:BUGTRAQ: 20021012 CoolForum v 0.5 beta显示PHP文件内容参考:网址:http://online.securityfocus.com/archive/1/295358参考:VULNWATCH: 20021001 [VULNWATCH] CoolForum v 0.5 beta显示PHP文件内容参考:网址:http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0001.html参考:确认:http://www.coolforum.net/index.php?p=dlcoolforum参考:XF: coolforum-avatar-view-php(10237)参考:网址:http://www.iss.net/security_center/static/10237.php参考:报价:5973参考:网址:http://www.securityfocus.com/bid/5973目录遍历脆弱性在《阿凡达》。php CoolForum 0.5 beta允许远程攻击者读取任意文件通过. .(点点)序列在img参数。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1515 3供应商确认:是的更新日志内容决定:EX-BETA确认/准确性:考0.5 beta和0.5.1β之间的差异表明,开发人员试图解决这个问题通过检查文件被访问是一个JPG或GIF。虽然这种修复是不完整的(可能允许访问JPG / GIF没有将公开),这是充分证明厂商已经意识到这个问题了。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论: