(日期:][下一个日期][线程:][线程下][日期索引][线程索引]
(提案)集群misc - 2002 b - 63的候选人
- 来:cve-editorial-board-list@lists.mitre.org
- 主题(建议):集群misc - 2002 b - 63的候选人
- 从:“史蒂文·m·Christey " <coley@LINUS.mitre.org>
- 日期:2003年3月17日,星期一,-0500年18:20:06(美国东部时间)
- 交货日期:2003年3月17日18:20:12星期一
- 发送方:owner-cve-editorial-board-list@lists.mitre.org
我提出集群misc - 2002 b,供编辑部评论和投票。名称:Misc - 2002 b描述:Misc罐从2002年9月到2002年12月大小:63年通过修改这封邮件你可能投票的候选人投票,将它寄回给我,或通过使用CVE投票网站。中列出的候选人优先秩序。优先级1和优先级2的候选人都应对不同层次的供应商确认,所以他们应该易于检查和可以信任的,是真实的问题。总结的选票使用(“严重程度”的按升序)- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -接受——选民接受候选人提出的等待——选民对候选人没有意见修改选民想要改变一些小细节(例如参考/描述)审查-选民正在审查/研究候选人,或需要更多的信息,重塑候选人必须大幅修改,如分割或合并拒绝候选人不是“漏洞”,或重复等。1)请写你的投票在直线上,从“投票:”开始。如果你想添加评论或细节,在投票后将它们添加到线:线。2)如果你看到任何失踪的引用,请提及他们,使他们可以包括在内。在映射引用帮助极大。3)请注意,“修改”被视为一个“接受”当计算选票。所以如果你没有足够的信息对候选人但你不想等待,使用一个回顾。 ********** NOTE ********** NOTE ********** NOTE ********** NOTE ********** Please keep in mind that your vote and comments will be recorded and publicly viewable in the mailing list archives or in other formats. ====================================================== Candidate: CAN-2002-1127 URL:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1127最终决定:阶段性裁决:修改:建议:20030317分配:20020918类别:科幻参考:VULNWATCH: 20020918 iDEFENSE安全顾问09.18.2002:安全漏洞OSF1 / Tru64 3。参考网址:http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0122.html参考:XF: osf1-uucp-source-bo(10146)参考:网址:http://www.iss.net/security_center/static/10146.php缓冲区溢出在康柏uucp Tru64 / OSF1 3。x允许本地用户执行任意代码通过一个长源(- s)的命令行参数。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1127 3供应商确认:未知discloser-claimed投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1128网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1128最终决定:阶段性裁决:修改:建议:20030317分配:20020918类别:科幻参考:VULNWATCH: 20020918 iDEFENSE安全顾问09.18.2002:安全漏洞OSF1 / Tru64 3。参考网址:http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0122.html参考:XF: osf1-inc-mh-bo(10147)参考:网址:http://www.iss.net/security_center/static/10147.php缓冲区溢出在康柏公司邮件效用Tru64 / OSF1 3。x允许本地用户执行任意代码通过一个长MH环境变量。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1128 3供应商确认:未知discloser-claimed投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1129网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1129最终决定:阶段性裁决:修改:建议:20030317分配:20020918类别:科幻参考:VULNWATCH: 20020918 iDEFENSE安全顾问09.18.2002:安全漏洞OSF1 / Tru64 3。参考网址:http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0122.html参考:BUGTRAQ: 20020919 iDEFENSE OSF1 / Tru64 3。x vuln澄清参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=103248659816294&w=2参考:XF: osf1-dxterm-xrm-bo(10148)参考:网址:http://www.iss.net/security_center/static/10148.php缓冲区溢出dxterm允许本地用户执行任意代码通过一个长-xrm论点。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1129 3供应商确认:未知discloser-claimed内容决定:SF-CODEBASE抽象:可能有一个代码库之间的关系这个问题和其他“-xrm”溢出,发表在其他终端项目如cve - 2002 - 0517和cve - 1999 - 0040。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1133网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1133最终决定:阶段性裁决:修改:建议:20030317分配:20020920类别:科幻参考:BUGTRAQ: 20020923 iDEFENSE安全顾问09.23.2002:恐龙的网络服务器参考目录遍历:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=103281444824285&w=2参考:VULNWATCH: 20020923 iDEFENSE安全顾问09.23.2002:恐龙的网络服务器参考目录遍历:网址:http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0127.html参考:XF: dinos-dotdot-directory-traversal(10168)参考:网址:http://www.iss.net/security_center/static/10168.php参考:报价:5782参考:网址:http://www.securityfocus.com/bid/5782编码目录遍历脆弱性在恐龙的web server 2.1允许远程攻击者读取任意文件通过“. .”(dot dot) sequences with URL-encoded (1) "/" (%2f") or (2) "\" (%5c) characters. Analysis ---------------- ED_PRI CAN-2002-1133 3 Vendor Acknowledgement: unknown discloser-claimed Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-1176 URL:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1176最终决定:阶段性裁决:修改:建议:20030317分配:20020930类别:科幻参考:BUGTRAQ: 20021219 Foundstone研究实验室咨询——多个可利用的缓冲区溢出Winamp参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=104025874209567&w=2缓冲区溢出的Winamp 2.81允许远程攻击者执行任意代码通过一个长艺术家ID3v2标签在一个MP3文件。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1176 3供应商确认:未知discloser-claimed内容决定:SF-LOC抽象:艺术家标签溢出适用总是在2.81版本,而它只适用于3.0媒体显示窗口,所以它们是“不同”足够的溢出出现在不同版本;因此独立候选人被分配。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1177网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1177最终决定:阶段性裁决:修改:建议:20030317分配:20020930类别:科幻参考:BUGTRAQ: 20021219 Foundstone研究实验室咨询——多个可利用的缓冲区溢出Winamp参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=104025874209567&w=2多个缓冲区溢位在3.0 Winamp中,当显示一个MP3在媒体库窗口中,允许远程攻击者执行任意代码通过一个MP3文件包含一个长(1)或(2)艺术家专辑ID3v2标签。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1177 3供应商确认:未知discloser-claimed内容决定:SF-LOC抽象:艺术家标签溢出适用总是在2.81版本,而它只适用于3.0媒体显示窗口,所以它们是“不同”足够的溢出出现在不同版本;因此独立候选人被分配。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1201网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1201最终决定:阶段性裁决:修改:建议:20030317分配:20021011类别:科幻参考:BUGTRAQ: 20021009洪水ACK数据包导致AIX DoS参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=103418410408599&w=2参考:XF: aix-tcp-flood-dos(10326)参考:网址:http://www.iss.net/security_center/static/10326.phpIBM AIX 4.3.3和AIX 5允许远程攻击者造成拒绝服务(CPU消耗或崩溃)通过大量畸形TCP数据包没有设置任何标志,防止AIX释放相关的内存缓冲区。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1201 3供应商确认:未知discloser-claimed内容决定:SF-EXEC, SF-CODEBASE抽象:而AIX和SecureWay防火墙的攻击都是一样的,有足够的迹象表明,问题的根本原因是不同的。因此,这些产品是分裂。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1203网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1203最终决定:阶段性裁决:修改:建议:20030317分配:20021011类别:科幻参考:BUGTRAQ: 20021009洪水ACK数据包导致IBM SecureWay防火墙DoS参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=103417988503398&w=2参考:XF: secureway-tcp-flood-dos(10249)参考:网址:http://www.iss.net/security_center/static/10249.phpIBM SecureWay防火墙之前4.2.2执行额外的处理决定之前,包是无效的,放弃它,它允许远程攻击者造成拒绝服务(资源枯竭)通过大量畸形TCP数据包没有设置任何标志。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1203 3供应商确认:未知discloser-claimed内容决定:SF-EXEC, SF-CODEBASE抽象:而AIX和SecureWay防火墙的攻击都是一样的,有足够的迹象表明,问题的根本原因是不同的。因此,这些产品是分裂。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1204网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1204最终决定:阶段性裁决:修改:建议:20030317分配:20021014类别:科幻参考:VULNWATCH: 20021119 iDEFENSE安全顾问11.19.02c:网景可预测的目录结构允许盗窃偏好文件参考:网址:http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0081.html参考:MISC:http://www.idefense.com/advisory/11.19.02c.txt网景沟通者4。x允许攻击者使用的链接窃取用户的喜好,包括潜在的敏感信息,如URL历史,电子邮件地址,甚至电子邮件密码,通过重新定义user_pref()函数和访问控制台。js文件,该文件存储在一个目录和可预测的名称。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1204 3供应商确认:没有投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1212网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1212最终决定:阶段性裁决:修改:建议:20030317分配:20021014类别:科幻参考:MISC:http://www.idefense.com/advisory/10.15.02.txt参考:BUGTRAQ: 20021014 iDEFENSE安全顾问10.15.02:DoS和目录遍历漏洞在网络服务器4大家参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=103471544806141&w=2参考:XF: webserver-4everyone-filename-bo(10372)参考:网址:http://www.iss.net/security_center/static/10372.php缓冲区溢出RadioBird软件网络服务器4大家1.23和1.27,和其他版本1.30之前,允许远程攻击者造成拒绝服务(崩溃)通过HTTP GET请求。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1212 3供应商确认:未知discloser-claimed投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1213网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1213最终决定:阶段性裁决:修改:建议:20030317分配:20021014类别:科幻参考:MISC:http://www.idefense.com/advisory/10.15.02.txt参考:BUGTRAQ: 20021014 iDEFENSE安全顾问10.15.02:DoS和目录遍历漏洞在网络服务器4大家参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=103471544806141&w=2参考:XF: webserver-4everyone-encoded-traversal(10373)参考:网址:http://www.iss.net/security_center/static/10373.php目录遍历脆弱性RadioBird软件网络服务器4大家1.23和1.27,和其他版本1.30之前,允许远程攻击者读取任意文件通过一个HTTP请求和“. .”(dot-dot) sequences containing URL-encoded forward slash ("%2F") characters. Analysis ---------------- ED_PRI CAN-2002-1213 3 Vendor Acknowledgement: unknown discloser-claimed Voting Section -------------- Possible votes: ACCEPT/MODIFY/NOOP/REVIEWING/RECAST/REJECT If ACCEPT or MODIFY, include reason for acceptance: VERIFIED-BY-MY-ORG, ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST, HAS-INDEPENDENT-CONFIRMATION, or provide other reason. VOTE: ACCEPT_REASON: COMMENTS: ====================================================== Candidate: CAN-2002-1238 URL:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1238最终决定:阶段性裁决:修改:建议:20030317分配:20021101类别:科幻参考:BUGTRAQ: 20021108 iDEFENSE安全顾问11.08.02a:文件披露漏洞在简单的Web服务器引用:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=103679016031857&w=2参考:VULNWATCH: 20021108 iDEFENSE安全顾问11.08.02a:文件披露漏洞在简单的Web服务器参考:网址:http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0065.html参考:MISC:http://www.idefense.com/advisory/11.08.02a.txt参考:报价:6145参考:网址:http://www.securityfocus.com/bid/6145彼得·山特维克的简单Web服务器0.5.1早些时候,允许远程攻击者绕过访问限制文件通过一个HTTP请求的多个序列/(削减)字符等http://www.example.com///file/。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1238 3供应商确认:未知discloser-claimed投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1242网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1242最终决定:阶段性裁决:修改:建议:20030317分配:20021101类别:科幻参考:MISC:http://www.idefense.com/advisory/10.31.02c.txt参考:BUGTRAQ: 20021101 iDEFENSE安全顾问10.31.02c: PHP-Nuke SQL注入漏洞参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&m=103616324103171&w=2参考:VULNWATCH: 20021101 iDEFENSE安全顾问10.31.02c: PHP-Nuke SQL注入漏洞参考:网址:http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0051.html参考:XF: phpnuke-accountmanager-sql-injection(10516)参考:网址:http://www.iss.net/security_center/static/10516.php参考:报价:6088参考:网址:http://www.securityfocus.com/bid/6088SQL注入漏洞在PHP-Nuke 6.0允许远程经过身份验证的用户修改数据库并获得特权modules.php通过“生物”参数。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1242 3供应商确认:未知discloser-claimed投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1250网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1250最终决定:阶段性裁决:修改:建议:20030317分配:20021101类别:科幻参考:MISC:http://www.idefense.com/advisory/11.01.02.txt参考:VULNWATCH: 20021101 iDEFENSE安全顾问11.01.02:缓冲区溢出漏洞在滥用参考:网址:http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0055.html参考:XF: abuse-net-command-bo(10519)参考:网址:http://www.iss.net/security_center/static/10519.php参考:报价:6094参考:网址:http://www.securityfocus.com/bid/6094早些时候在滥用2.00和缓冲区溢出允许本地用户获得根权限通过长净命令行参数。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1250 3供应商确认:未知discloser-claimed投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1253网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1253最终决定:阶段性裁决:修改:建议:20030317分配:20021101类别:科幻参考:MISC:http://www.idefense.com/advisory/11.01.02.txt参考:VULNWATCH: 20021101 iDEFENSE安全顾问11.01.02:缓冲区溢出漏洞在滥用参考:网址:http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0055.html参考:XF: abuse-lisp-gain-privileges(11300)参考:网址:http://www.iss.net/security_center/static/11300.php滥用2.00和更早的允许本地用户获得特权通过命令行参数指定替代Lisp的脚本运行升级特权,它可以包含函数,执行命令或修改文件。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1253 3供应商确认:未知discloser-claimed投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1309网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1309最终决定:阶段性裁决:修改:建议:20030317分配:20021115类别:科幻参考:BUGTRAQ: 20021112达:Macromedia ColdFusion / JRun远程系统缓冲区溢出漏洞参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-11/0149.html参考:VULNWATCH: 20021119更新:达:Macromedia ColdFusion / JRun远程系统缓冲区溢出漏洞参考:网址:http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0080.html参考:BUGTRAQ: 20021119更新:达:Macromedia ColdFusion / JRun远程系统缓冲区溢出漏洞参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&r=1&b=200211&w=2参考:达:AD20021112参考:网址:http://www.eeye.com/html/Research/Advisories/AD20021112.html基于堆的缓冲区溢出的错误处理机制IIS ISAPI Macromedia ColdFusion 6.0处理程序允许远程攻击者通过HTTP GET请求来执行任意长.cfm文件名。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1309 3供应商确认:未知discloser-claimed内容决定:SF-CODEBASE, SF-EXEC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1310网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1310最终决定:阶段性裁决:修改:建议:20030317分配:20021115类别:科幻参考:BUGTRAQ: 20021112达:Macromedia ColdFusion / JRun远程系统缓冲区溢出漏洞参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-11/0149.html参考:VULNWATCH: 20021119更新:达:Macromedia ColdFusion / JRun远程系统缓冲区溢出漏洞参考:网址:http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0080.html参考:BUGTRAQ: 20021119更新:达:Macromedia ColdFusion / JRun远程系统缓冲区溢出漏洞参考:网址:http://marc.theaimsgroup.com/?l=bugtraq&r=1&b=200211&w=2参考:达:AD20021112参考:网址:http://www.eeye.com/html/Research/Advisories/AD20021112.html基于堆的缓冲区溢出的错误处理机制IIS ISAPI早些时候在Macromedia JRun 4.0和处理程序允许远程攻击者通过HTTP GET请求来执行任意长jsp文件名。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1310 3供应商确认:未知discloser-claimed内容决定:SF-CODEBASE, SF-EXEC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1471网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1471最终决定:阶段性裁决:修改:建议:20030317分配:20030205类别:科幻参考:BUGTRAQ: 20021003 SSL证书验证问题Ximian进化参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-10/0045.html参考:XF: evolution-camel-certificate-mitm(10292)参考:网址:http://www.iss.net/security_center/static/10292.php参考:报价:5875参考:网址:http://www.securityfocus.com/bid/5875骆驼组件1.0 Ximian进化。x和早些时候不验证证书的时候建立一个新的SSL连接此前验证证书,这可能允许攻击者远程监控或修改会议通过中间人攻击。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1471 3供应商确认:投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1478网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1478最终决定:阶段性裁决:修改:建议:20030317分配:20030205类别:科幻参考:BUGTRAQ: 20020903仙人掌安全问题参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-09/0028.html参考:MISC:http://www.knights-of-the-routing-table.org/advisories/krt_001_20020903_cacti.txt参考:XF: cacti-console-mode-commands(10050)参考:网址:http://www.iss.net/security_center/static/10050.php参考:报价:5630参考:网址:http://www.securityfocus.com/bid/5630仙人掌0.6.8之前允许攻击者执行任意命令通过“数据输入”选项在控制台模式。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1478 3供应商确认:准确性:从报告中还不清楚是否“控制台模式”是远程;如果在命令行访问,这可能不是一个漏洞除非setuid仙人掌。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1479网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1479最终决定:阶段性裁决:修改:建议:20030317分配:20030205类别:科幻参考:BUGTRAQ: 20020903仙人掌安全问题参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-09/0028.html参考:MISC:http://www.knights-of-the-routing-table.org/advisories/krt_001_20020903_cacti.txt参考:XF: cacti-config-world-readable(10049)参考:网址:http://www.iss.net/security_center/static/10049.php参考:报价:5628参考:网址:http://www.securityfocus.com/bid/5628仙人掌在0.6.8 MySQL用户名和密码存储在明文配置。php,全局权限,允许本地用户修改数据库作为仙人掌用户和可能获得的特权。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1479 3供应商确认:准确性:从报告中还不清楚是否“控制台模式”是远程;如果在命令行访问,这可能不是一个漏洞除非setuid仙人掌。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1480网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1480最终决定:阶段性裁决:修改:建议:20030317分配:20030205类别:科幻参考:BUGTRAQ: 20020909 phpGB:跨站脚本漏洞参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-09/0069.html参考:报价:5676参考:网址:http://www.securityfocus.com/bid/5676参考:XF: phpgb-entry-deletion-xss(10060)参考:网址:http://www.iss.net/security_center/static/10060.php跨站点脚本(XSS)脆弱性在phpGB 1.20允许远程攻击者将任意的HTML或脚本注入留言板页面,这是当管理员执行删除条目。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1480 3供应商确认:未知discloser-claimed内容决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1481网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1481最终决定:阶段性裁决:修改:建议:20030317分配:20030205类别:科幻参考:BUGTRAQ: 20020909 phpGB: DoS和executing_arbitrary_commands参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-09/0076.html参考:报价:5679参考:网址:http://www.securityfocus.com/bid/5679参考:XF: phpgb-savesettings-unauth-access(10065)参考:网址:http://www.iss.net/security_center/static/10065.php储存设定。早些时候在phpGB 1.20和php不需要身份验证,它允许远程攻击者造成拒绝服务或执行任意的php代码通过使用储存设定。php修改config . php。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1481 3供应商确认:未知discloser-claimed内容决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1482网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1482最终决定:阶段性裁决:修改:建议:20030317分配:20030205类别:科幻参考:BUGTRAQ: 20020909 phpGB: DoS和executing_arbitrary_commands参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-09/0076.html参考:报价:5673参考:网址:http://www.securityfocus.com/bid/5673参考:XF: phpgb-login-sql-injection(10068)参考:网址:http://www.iss.net/security_center/static/10068.php在登录SQL注入漏洞。php 1.20 phpGB和早些时候,magic_quotes_gpc未启用时,允许远程攻击者获得管理权限通过密码输入的SQL代码。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1482 3供应商确认:未知discloser-claimed内容决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1484网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1484最终决定:阶段性裁决:修改:建议:20030317分配:20030205类别:CF参考:BUGTRAQ: 20020917咨询:tcp连接的风险DB4Web参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-09/0201.html参考:VULNWATCH: 20020919咨询:tcp连接的风险DB4Web参考:网址:http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0125.html参考:XF: db4web-tcp-portscan(10136)参考:网址:http://www.iss.net/security_center/static/10136.php参考:报价:5725参考:网址:http://www.securityfocus.com/bid/5725DB4Web服务器,当配置为使用详细的调试信息,允许远程攻击者使用DB4Web代理和尝试TCP连接到其他系统(端口扫描)通过一个URL请求,指定目标IP地址和端口,并产生一种连接状态在生成的错误消息。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1484 3供应商确认:没有争议内容决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1485网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1485最终决定:阶段性裁决:修改:建议:20030317分配:20030205类别:科幻参考:BUGTRAQ: 20020923 Trillian远程DoS攻击-目标参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-09/0282.htmlTrillian 0.73和0.74的目标组件允许远程攻击者造成拒绝服务(崩溃)通过特定的字符串,如“P > < C”。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1485 3供应商确认:投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1486网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1486最终决定:阶段性裁决:修改:建议:20030317分配:20030205类别:科幻参考:BUGTRAQ: 20020920另一个。Trillian“加入”溢出。参考网址:http://archives.neohapsis.com/archives/bugtraq/2002-09/0258.html参考:BUGTRAQ: 20020921。Trillian的原始221溢出。参考网址:http://archives.neohapsis.com/archives/bugtraq/2002-09/0266.html参考:BUGTRAQ: 20020922 *叹息* Trillian多个DoS参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-09/0268.html参考:NTBUGTRAQ: 20020914 Trillian .71下面,识别缺陷。参考网址:http://archives.neohapsis.com/archives/ntbugtraq/2002-q3/0139.html参考:NTBUGTRAQ: 20020919 Trillian .73 & .74 PRIVMSG溢出。参考网址:http://archives.neohapsis.com/archives/ntbugtraq/2002-q3/0140.html参考:报价:5769参考:网址:http://www.securityfocus.com/bid/5769参考:报价:5777参考:网址:http://www.securityfocus.com/bid/5777参考:XF: trillian-raw221-bo(10151)参考:网址:http://www.iss.net/security_center/static/10151.php参考:报价:5765参考:网址:http://www.securityfocus.com/bid/5765参考:XF: trillian-irc-server-bo(10163)参考:网址:http://www.iss.net/security_center/static/10163.php参考:XF: trillian-irc-join-bo(10150)参考:网址:http://www.iss.net/security_center/static/10150.php多个缓冲区溢出Trillian 0.73和0.74的IRC组件允许远程恶意IRC服务器造成拒绝服务并通过(1)可能执行任意代码从服务器响应,(2)加入长通道名称,(3)“原始221”消息,(4)与昵称,PRIVMSG或(5)响应识别服务器。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1486 3供应商确认:内容决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1487网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1487最终决定:阶段性裁决:修改:建议:20030317分配:20030205类别:科幻参考:BUGTRAQ: 20020922 *叹息* Trillian多个DoS参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-09/0268.html参考:报价:5775参考:网址:http://www.securityfocus.com/bid/5775参考:XF: trillian-irc-raw-dos(10161)参考:网址:http://www.iss.net/security_center/static/10161.phpTrillian 0.73和0.74的IRC组件允许远程恶意IRC服务器导致拒绝服务(崩溃)发送的原始信息(1)206(2)211年,213年(3),(4)214年,215年(5),217(6),(7)218年,243年(8),302(9),317(10),(11),324(12)332(13)333年,352年(14),(15)367。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1487 3供应商确认:内容决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1488网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1488最终决定:阶段性裁决:修改:建议:20030317分配:20030205类别:科幻参考:BUGTRAQ: 20020922 *叹息* Trillian多个DoS参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-09/0268.html参考:报价:5776参考:网址:http://www.securityfocus.com/bid/5776参考:XF: trillian-part-message-dos(10162)参考:网址:http://www.iss.net/security_center/static/10162.phpTrillian 0.73和0.74的IRC组件允许远程恶意IRC服务器导致拒绝服务(崩溃)通过部分消息(1)失踪的通道或(2)一个通道Trillian用户不在。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1488 3供应商确认:内容决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1489网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1489最终决定:阶段性裁决:修改:建议:20030317分配:20030205类别:科幻参考:BUGTRAQ: 20021017新缓冲区溢出plaetDNS参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-10/0236.html参考:BUGTRAQ: 20020914星球Web软件缓冲区溢位参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-09/0166.html参考:XF: planetweb-long-url-bo(10391)参考:网址:http://www.iss.net/security_center/static/10391.php参考:报价:5710参考:网址:http://www.securityfocus.com/bid/5710参考:XF: planetweb-long-url-bo(10124)参考:网址:http://www.iss.net/security_center/static/10124.php1.14和更早的缓冲区溢出在PlanetDNS PlanetWeb允许远程攻击者执行任意代码通过(1)具有长URL的HTTP GET请求或(2)请求长方法的名字。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1489 3供应商确认:内容决定:SF-LOC抽象:两个溢出影响1.14版本,因此应该合并根据CD: SF-LOC。此外,攻击发出一个长字符串,可能不同的攻击向量触发相同的脆弱的代码。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1494网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1494最终决定:阶段性裁决:修改:建议:20030317分配:20030205类别:科幻参考:BUGTRAQ: 20020903跨站点脚本在Aestiva参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-09/0026.html参考:报价:5618参考:网址:http://www.securityfocus.com/bid/5618参考:XF: aestiva-htmlos-cgi-xss(10029)参考:网址:http://www.iss.net/security_center/static/10029.php跨站点脚本(XSS) Aestiva HTML / OS漏洞允许远程攻击者通过插入脚本插入任意的HTML或脚本后/字符后,将脚本插入生成的错误消息。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1494 3供应商确认:没有投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1495网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1495最终决定:阶段性裁决:修改:建议:20030317分配:20030205类别:科幻参考:BUGTRAQ: 20020922 JAWmail XSS参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-09/0270.html参考:XF: jawmail-mail-message-xss(10152)参考:网址:http://www.iss.net/security_center/static/10152.php参考:报价:5771参考:网址:http://www.securityfocus.com/bid/5771跨站点脚本(XSS)脆弱性JAWmail 1.0 rc1允许远程攻击者插入任意脚本或HTML通过(1)在读取邮件附加文件名称功能,(2)text / HTML邮件显示在弹出窗口中,和(3)中某些恶意属性否则安全标签,如鼠标移到目标上。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1495 3供应商确认:未知discloser-claimed内容决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1501网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1501最终决定:阶段性裁决:修改:建议:20030317分配:20030205类别:科幻参考:BUGTRAQ: 20020913扫描对Enterasys SSR8000崩溃系统参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-09/0141.html参考:MISC:http://www.enterasys.com/support/techtips/tk0659 - 9. - html参考:报价:5703参考:网址:http://www.securityfocus.com/bid/5703参考:XF: smartswitch-portscan-dos(10096)参考:网址:http://www.iss.net/security_center/static/10096.php国会议员功能Enterasys SSR8000(智能交换机路由器)之前固件8.3.0.10允许远程攻击者造成拒绝服务(崩溃)通过多个端口扫描端口15077和15078。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1501 3供应商确认:未知discloser-claimed投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1504网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1504最终决定:阶段性裁决:修改:建议:20030317分配:20030205类别:科幻参考:BUGTRAQ: 20020905咨询参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-09/0045.html参考:XF: webserver-4everyone-directory-traversal(10051)参考:网址:http://www.iss.net/security_center/static/10051.php目录遍历漏洞在网络服务器4人1.22允许远程攻击者读取任意文件通过“. .\”(圆点反斜杠)序列在一个URL。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1504 3供应商确认:投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1505网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1505最终决定:阶段性裁决:修改:建议:20030317分配:20030205类别:科幻参考:BUGTRAQ: 20020908 sql注入漏洞WBB 2.0 RC1和低于参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-09/0083.html参考:报价:5675参考:网址:http://www.securityfocus.com/bid/5675参考:XF: wbb-board-sql-injection(10069)参考:网址:http://www.iss.net/security_center/static/10069.phpSQL注入漏洞在董事会。php为WoltLab燃烧板(wBB) 2.0 RC 1和允许远程攻击者修改数据库和早些时候可能通过boardid参数获得的特权。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1505 3供应商确认:未知discloser-claimed固定投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1507网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1507最终决定:阶段性裁决:修改:建议:20030317分配:20030205类别:科幻参考:VULNWATCH: 20020917弗兰克-威廉姆斯:[ut2003bugs] ut2003演示引用远程拒绝服务:网址:http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0116.html参考:XF: ut-console-dos(10128)参考:网址:http://www.iss.net/security_center/static/10128.php虚幻竞技场2003 (ut2003)客户端和服务器允许远程攻击者通过畸形引起拒绝服务消息包含一个小的字符数UDP端口7778或10777。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1507 3供应商确认:未知discloser-claimed投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1512网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1512最终决定:阶段性裁决:修改:建议:20030317分配:20030223类别:科幻参考:BUGTRAQ: 20020912竞态条件BRU工作站17.0参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-09/0154.html参考:报价:5708参考:网址:http://www.securityfocus.com/bid/5708参考:XF: bru-xbru-race-condition(10101)参考:网址:http://www.iss.net/security_center/static/10101.phpxbru BRU工作站17.0允许本地用户覆盖任意文件并获得通过一个符号链接攻击xbru_dscheck root特权。dd临时文件。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1512 3供应商确认:内容决定:SF-LOC抽象:这个问题影响BRU版本一样可以- 2002 - 0210,但之间有一段几个月报告,所以它是合理的,有单独的标识符。抽象/准确性:最初的报告是不清楚,但这可能是一个shell元字符的符号链接问题使利用问题,在利用,创造了一个不寻常的日志/ xferlog目录的文件名。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1514网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1514最终决定:阶段性裁决:修改:建议:20030317分配:20030223类别:科幻参考:BUGTRAQ: 20020925宝蓝数据库本地根利用参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-09/0311.html参考:报价:5805参考:网址:http://www.securityfocus.com/bid/5805参考:XF: interbase-gdslockmgr-bo(10196)参考:网址:http://www.iss.net/security_center/static/10196.phpgds_lock_mgr宝蓝数据库允许本地用户覆盖文件并获得通过一个符号链接攻击“isc_init1特权。X”临时文件,演示了通过修改xinetdbd文件。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1514 3供应商确认:投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1521网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1521最终决定:阶段性裁决:修改:建议:20030317分配:20030223类别:科幻参考:VULNWATCH: 20020925 (SecurityOffice)网络服务器4 d v3.6弱密码保护漏洞参考:网址:http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0128.html参考:XF: webserver-4d-plaintext-passwords(10198)参考:网址:http://www.iss.net/security_center/static/10198.php参考:报价:5803参考:网址:http://www.securityfocus.com/bid/5803Web服务器4 d (WS4D) 3.6 WS4D在明文存储密码。4 dd文件,它允许攻击者获得特权。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1521 3供应商确认:没有投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1522网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1522最终决定:阶段性裁决:修改:建议:20030317分配:20030223类别:参考:BUGTRAQ: 20021005 Vulnerabilitie PowerFTP服务器参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-10/0075.html参考:BUGTRAQ: 20021012 Coolsoft PowerFTP < = v2.24拒绝服务(Linux源代码)参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-10/0194.html参考:报价:5899参考:网址:http://www.securityfocus.com/bid/5899参考:XF: powerftp-long-username-dos(10286)参考:网址:http://www.iss.net/security_center/static/10286.php缓冲区溢出在PowerFTP FTP服务器2.24中,可能还有其他版本,允许远程攻击者可能导致拒绝服务和通过长期用户参数执行任意代码。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1522 3供应商确认:投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1524网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1524最终决定:阶段性裁决:修改:建议:20030317分配:20030223类别:科幻参考:BUGTRAQ: 20020929 IIL咨询:Winamp 3 (1.0.0.488) XML解析器缓冲区溢出漏洞参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-09/0346.html参考:报价:5832参考:网址:http://www.securityfocus.com/bid/5832参考:XF: winamp-xml-parser-bo(10228)参考:网址:http://www.iss.net/security_center/static/10228.php缓冲区溢出在wsabi XML解析器。dll Winamp 3(1.0.0.488)允许远程攻击者通过皮肤执行任意代码文件(.wal)包含文件标签。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1524 3供应商确认:投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1525网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1525最终决定:阶段性裁决:修改:建议:20030317分配:20030223类别:科幻参考:BUGTRAQ: 20020929 (LoWNOISE)“知识”SunONE Starter Kit - Sun Microsystems / Astaware参考:网址:http://online.securityfocus.com/archive/1/293545参考:报价:5828参考:网址:http://www.securityfocus.com/bid/5828参考:XF: sunone-starterkit-search-traversal(10225)参考:网址:http://www.iss.net/security_center/static/10225.php目录遍历脆弱性ASTAware SearchDisk引擎太阳一个Starter Kit 2.0允许远程攻击者读取任意文件通过一个. .(点点)攻击端口6015(1)或(2)6016年,或(3)端口6017的绝对路径名。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1525 3供应商确认:投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1526网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1526最终决定:阶段性裁决:修改:建议:20030317分配:20030223类别:科幻参考:VULNWATCH: 20020926 [VULNWATCH] EMU邮箱5.0 XSS vuln,和webroot路径披露参考:网址:http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0131.html参考:报价:5824参考:网址:http://www.securityfocus.com/bid/5824跨站点脚本(XSS)在emumail脆弱性。cgi EMU Webmail 5.0允许远程攻击者将通过电子邮件地址字段任意的HTML或脚本。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1526 3供应商确认:投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1527网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1527最终决定:阶段性裁决:修改:建议:20030317分配:20030223类别:科幻参考:VULNWATCH: 20020926 [VULNWATCH] EMU邮箱5.0 XSS vuln,和webroot路径披露参考:网址:http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0131.html参考:报价:5823参考:网址:http://www.securityfocus.com/bid/5823参考:XF: emu-webmail-path-disclosure(10204)参考:网址:http://www.iss.net/security_center/static/10204.phpemumail。cgi EMU邮箱5.0允许远程攻击者决定emumail的完整路径名。cgi通过一个畸形的字符串包含脚本,生成一个正则表达式匹配错误,包括路径名在生成的错误消息。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1527 3供应商确认:投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1528网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1528最终决定:阶段性裁决:修改:建议:20030317分配:20030223类别:科幻参考:BUGTRAQ: 20021010 MondoSearch显示所有文件的来源参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-10/0147.html参考:XF: mondosearch-url-souce-disclosure(10350)参考:网址:http://www.iss.net/security_center/static/10350.php参考:报价:5941参考:网址:http://www.securityfocus.com/bid/5941MsmMask。exe MondoSearch 4.4允许远程攻击者获得通过掩模参数的脚本的源代码。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1528 3供应商确认:投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1529网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1529最终决定:阶段性裁决:修改:建议:20030317分配:20030223类别:科幻参考:BUGTRAQ: 20021008四个漏洞SurfControl SuperScout邮件过滤器管理服务器参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-10/0137.html参考:XF: superscout-emailfilter-error-xss(10319)参考:网址:http://www.iss.net/security_center/static/10319.php参考:报价:5928参考:网址:http://www.securityfocus.com/bid/5928跨站点脚本(XSS)在msgError脆弱性。asp管理web接口(STEMWADM) SurfControl SuperScout邮件过滤器允许远程攻击者插入任意脚本或HTML通过参数的原因。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1529 3供应商确认:未知discloser-claimed投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1530网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1530最终决定:阶段性裁决:修改:建议:20030317分配:20030223类别:科幻参考:BUGTRAQ: 20021008四个漏洞SurfControl SuperScout邮件过滤器管理服务器参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-10/0137.html参考:报价:5929参考:网址:http://www.securityfocus.com/bid/5929参考:XF: superscout-emailfilter-plaintext-passwords(10320)参考:网址:http://www.iss.net/security_center/static/10320.php管理web界面(STEMWADM) SurfControl SuperScout邮件过滤器允许用户获取用户名和通过请求userlist明文密码。asp程序,包括密码用户编辑表单。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1530 3供应商确认:未知discloser-claimed投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1531网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1531最终决定:阶段性裁决:修改:建议:20030317分配:20030223类别:科幻参考:BUGTRAQ: 20021008四个漏洞SurfControl SuperScout邮件过滤器管理服务器参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-10/0137.html参考:XF: superscout-emailfilter-content-dos(10321)参考:网址:http://www.iss.net/security_center/static/10321.php参考:报价:5930参考:网址:http://www.securityfocus.com/bid/5930管理web界面(STEMWADM) SurfControl SuperScout邮件过滤器允许远程攻击者造成拒绝服务(崩溃)通过一个HTTP请求没有内容长度参数。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1531 3供应商确认:未知discloser-claimed投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1532网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1532最终决定:阶段性裁决:修改:建议:20030317分配:20030223类别:科幻参考:BUGTRAQ: 20021008四个漏洞SurfControl SuperScout邮件过滤器管理服务器参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-10/0137.html参考:报价:5931参考:网址:http://www.securityfocus.com/bid/5931参考:XF: superscout-emailfilter-get-dos(10322)参考:网址:http://www.iss.net/security_center/static/10322.php管理web界面(STEMWADM) SurfControl SuperScout邮件过滤器允许远程攻击者造成拒绝服务(资源枯竭)通过GET请求没有终止/ r / n / r / n (CRLF)序列,导致界面等待序列和阻止其他用户访问它。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1532 3供应商确认:未知discloser-claimed投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1533网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1533最终决定:阶段性裁决:修改:建议:20030317分配:20030223类别:科幻参考:BUGTRAQ: 20020928 Jetty jsp / servlet引擎xss uname披露vuln参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-09/0337.html参考:报价:5821参考:网址:http://www.securityfocus.com/bid/5821参考:XF: jetty-http-xss(10219)参考:网址:http://www.iss.net/security_center/static/10219.php跨站点脚本(XSS)脆弱性在Jetty JSP servlet引擎允许远程攻击者插入任意的HTML或通过一个HTTP请求脚本. JSP文件的名字包含恶意脚本和一些编码换行字符(% 0 a)。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1533 3供应商确认:投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1534网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1534最终决定:阶段性裁决:修改:建议:20030317分配:20030223类别:科幻参考:BUGTRAQ: 20021006 Flash播放器可以读取本地文件参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-10/0083.html参考:XF: flash-xml-read-files(10297)参考:网址:http://www.iss.net/security_center/static/10297.php参考:报价:5904参考:网址:http://www.securityfocus.com/bid/5904Macromedia Flash播放器允许远程攻击者通过XML脚本读取任意文件的. swf文件驻留在远程SMB份额。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1534 3供应商确认:投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1535网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1535最终决定:阶段性裁决:修改:建议:20030317分配:20030223类别:科幻参考:BUGTRAQ: 20021014赛门铁克企业防火墙安全网络服务器信息泄漏参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-10/0190.html参考:报价:5959参考:网址:http://www.securityfocus.com/bid/5959安全网络服务器1.1在猛禽6.5和赛门铁克企业防火墙6.5.2允许远程攻击者识别IP地址的主机在内部网络上通过一个连接请求,生成不同的错误消息如果主人。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1535 3供应商确认:未知discloser-claimed投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1536网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1536最终决定:阶段性裁决:修改:建议:20030317分配:20030225类别:科幻参考:VULNWATCH: 20021018扫描同事咨询:莫莉0.5 -远程命令执行参考:网址:http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0028.html参考:BUGTRAQ: 20021018扫描同事咨询:莫莉0.5 -远程命令执行参考:网址:http://online.securityfocus.com/archive/1/296163参考:报价:6007参考:网址:http://www.securityfocus.com/bid/6007参考:XF: molly-host-execute-commands(10397)参考:网址:http://www.iss.net/security_center/static/10397.php莫莉IRC 0.5允许远程攻击者通过执行任意命令shell元字符(1)美元对网路资讯查询主机变量。pl,(2)美元,美元或美元消息变量在流行。(3 pl),单词或美元在sms文本变量。pl,或(4)服务器或打印机美元hpled.pl变量。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1536 3供应商确认:没有投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1537网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1537最终决定:阶段性裁决:修改:建议:20030317分配:20030225类别:科幻参考:BUGTRAQ: 20021027特权升级漏洞phpBB 2.0.0参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-10/0385.html参考:XF: phpbb-adminugauth-admin-privileges(10489)参考:网址:http://www.iss.net/security_center/static/10489.php参考:报价:6056参考:网址:http://www.securityfocus.com/bid/6056admin_ug_auth。php在phpBB 2.0.0允许本地用户直接调用admin_ug_auth获得管理员权限。php与modifed表单字段,如“u”。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1537 3供应商确认:未知discloser-claimed投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1538网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1538最终决定:阶段性裁决:修改:建议:20030317分配:20030225类别:科幻参考:BUGTRAQ: 20021025 Sec-Tec咨询24.10.02未经授权的文件acc Acuma参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-10/0366.html参考:XF: acusend-unauthorized-file-access(10473)参考:网址:http://www.iss.net/security_center/static/10473.php参考:报价:6048参考:网址:http://www.securityfocus.com/bid/6048Acuma Acusend 4,可能是早期版本,允许远程经过身份验证的用户阅读其他用户的报告推断完整的URL,名字很容易预测的。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1538 3供应商确认:未知discloser-claimed投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1539网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1539最终决定:阶段性裁决:修改:建议:20030317分配:20030225类别:科幻参考:BUGTRAQ: 20021027 MDaemon SMTP / POP / IMAP服务器DoS参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-10/0382.html参考:XF: mdaemon-dele-uidl-dos(10488)参考:网址:http://www.iss.net/security_center/static/10488.php参考:报价:6053参考:网址:http://www.securityfocus.com/bid/6053早些时候在MDaemon流行服务器6.0.7和缓冲区溢出允许远程经过身份验证的用户造成拒绝服务通过长(1)删除或(2)UIDL参数。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1539 3供应商确认:未知discloser-claimed内容决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1541网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1541最终决定:阶段性裁决:修改:建议:20030317分配:20030225类别:科幻参考:VULNWATCH: 20021024 [SecurityOffice] BadBlue Web服务器v1.7保护文件访问漏洞参考:网址:http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0041.html参考:报价:6044参考:网址:http://www.securityfocus.com/bid/6044参考:XF: badblue-protected-file-access(10466)参考:网址:http://www.iss.net/security_center/static/10466.phpBadBlue 1.7允许远程攻击者绕过密码保护目录和文件通过一个HTTP请求包含一个额外的/(削减)。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1541 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1542网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1542最终决定:阶段性裁决:修改:建议:20030317分配:20030225类别:科幻参考:VULNWATCH: 20021024 TFTP服务器DoS参考:网址:http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0040.htmlSolarWinds TFTP服务器5.0.55早些时候,允许远程攻击者造成拒绝服务(崩溃)通过一个大的UDP数据报,可能引发缓冲区溢出。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1542 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1544网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1544最终决定:阶段性裁决:修改:建议:20030317分配:20030225类别:科幻参考:BUGTRAQ: 20021010更多的愚蠢的错误cooolsoft个人ftp服务器的引用:网址:http://archives.neohapsis.com/archives/bugtraq/2002-10/0142.html目录遍历脆弱性CooolSoft个人FTP服务器2.24允许远程攻击者读取或修改任意文件通过. .(点点)序列在命令(1)列表(ls)、(2) mkdir, (3)、(4)。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1544 3供应商确认:内容决定:SF-LOC, SF-CODEBASE抽象:可能会有一些重叠这个bug - 2001 - 0931,这是PowerFTP 2.03而不是这个包和版本。投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1545网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1545最终决定:阶段性裁决:修改:建议:20030317分配:20030225类别:科幻参考:BUGTRAQ: 20021010更多的愚蠢的错误cooolsoft个人ftp服务器的引用:网址:http://archives.neohapsis.com/archives/bugtraq/2002-10/0142.htmlCooolSoft个人FTP服务器2.24允许远程攻击者获得的绝对路径名根通过FTP PWD命令,在响应中包括的完整路径。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1545 3供应商确认:内容决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1546网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1546最终决定:阶段性裁决:修改:建议:20030317分配:20030225类别:科幻参考:VULNWATCH: 20021024 [SecurityOffice] BRS WebWeaver Web服务器v1.01保护文件访问漏洞参考:网址:http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0043.html参考:MISC:http://www.securityoffice.net/articles/webweaver/参考:报价:6041参考:网址:http://www.securityfocus.com/bid/6041参考:XF: brs-webweaver-file-access(10467)参考:网址:http://www.iss.net/security_center/static/10467.phpBRS WebWeaver Web Server 1.01允许远程攻击者绕过密码保护的文件和目录包含一个“/通过一个HTTP请求。/”序列。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1546 3供应商确认:未知投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1549网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1549最终决定:阶段性裁决:修改:建议:20030317分配:20030304类别:科幻参考:BUGTRAQ: 20021112远程缓冲区溢出漏洞在光HTTPd参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-11/0138.html参考:报价:6162参考:网址:http://www.securityfocus.com/bid/6162参考:XF: light-httpd-bo(10607)参考:网址:http://www.iss.net/security_center/static/10607.php缓冲区溢出的HTTPd (lhttpd) 0.1允许远程攻击者执行任意代码通过一个HTTP GET请求。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1549 3供应商确认:投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1559网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1559最终决定:阶段性裁决:修改:建议:20030317分配:20030304类别:科幻参考:BUGTRAQ: 20021101 ion-p。exe允许远程文件检索参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-10/0447.html参考:BUGTRAQ: 20021101 Re: ion-p。exe允许远程文件检索参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-10/0448.html参考:XF: ion-ionp-view-files(10518)参考:网址:http://www.iss.net/security_center/static/10518.php参考:报价:6091参考:网址:http://www.securityfocus.com/bid/6091目录遍历ion-p脆弱性。exe(又名ion-p)允许远程攻击者通过(1)C:读取任意文件(驱动器)或(2). .(圆点)序列在页面参数。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1559 3供应商确认:内容决定:SF-LOC投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =候选人:- 2002 - 1560网址:http://cve.mitre.org/cgi - bin/cvename.cgi?name=can - 2002 - 1560最终决定:阶段性裁决:修改:建议:20030317分配:20030304类别:科幻参考:BUGTRAQ: 20021022 gBook参考:网址:http://archives.neohapsis.com/archives/bugtraq/2002-10/0328.html参考:报价:6033参考:网址:http://www.securityfocus.com/bid/6033参考:XF: gbook-mysql-admin-access(10455)参考:网址:http://www.iss.net/security_center/static/10455.php索引。php在gBook 1.4允许远程攻击者绕过身份验证和获得管理权限的登录参数设置为true。分析- - - - - - - - - - - - - - - - - ED_PRI - 2002 - 1560 3供应商确认:没有投票部分- - - - - - - - - - - - - - - -可能的选票:接受/修改/等待/审查/重塑/拒绝如果接受或修改,包括接受的理由:VERIFIED-BY-MY-ORG ACKNOWLEDGED-BY-VENDOR, VERIFIED-BY-SOMEONE-I-TRUST HAS-INDEPENDENT-CONFIRMATION或提供其他原因。投票:ACCEPT_REASON:评论:
- 上一页的日期:(提案)集群misc - 2002 - 39的候选人
- 下一个按日期:(提案)集群ms - 2002 - 47的候选人
- Prev线程:(提案)集群misc - 2002 - 39的候选人
- 下一个线程:(提案)集群ms - 2002 - 47的候选人
- 指数(es):
