CVE-1999-0910
CVSS5.0
发布时间 :1999-09-10 00:00:00
修订时间 :2008-09-09 08:36:09
NMCOS    

[原文]Microsoft Site Server and Commercial Internet System (MCIS) do not set an expiration for a cookie, which could then be cached by a proxy and inadvertently used by a different user.


[CNNVD]Microsoft网站服务器和CIS Cookie缓存漏洞(CNNVD-199909-019)

        Microsoft Site Server 和 Commercial Internet System (MCIS)不会为一个cookie设置终结时间,这将可能被代理网站缓存,并且无意中被不同的用户使用。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:microsoft:site_server_commerce:3.0:alpha
cpe:/a:microsoft:commercial_internet_system:2.0Microsoft commercial_internet_system 2.0
cpe:/a:microsoft:commercial_internet_system:2.5Microsoft commercial_internet_system 2.5
cpe:/a:microsoft:site_server:3.0Microsoft Site Server 3.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0910
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0910
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199909-019
(官方数据源) CNNVD

- 其它链接及资源

http://www.microsoft.com/technet/security/bulletin/ms99-035.asp
(VENDOR_ADVISORY)  MS  MS99-035
http://www.securityfocus.com/bid/625
(UNKNOWN)  BID  625

- 漏洞信息

Microsoft网站服务器和CIS Cookie缓存漏洞
中危 竞争条件
1999-09-10 00:00:00 2006-02-20 00:00:00
远程  
        Microsoft Site Server 和 Commercial Internet System (MCIS)不会为一个cookie设置终结时间,这将可能被代理网站缓存,并且无意中被不同的用户使用。

- 公告与补丁

        Microsoft has released a patch that fixes this issue. It is available at:
        ftp://ftp.microsoft.com/bussys/sitesrv/sitesrv-public/fixes/usa/siteserver3/Hotfixes-PostSP2/ProxyCache/

- 漏洞信息

59259
Microsoft Site Server / Commercial Internet System (MCIS) Cookie Expiry Weakness
Remote / Network Access Authentication Management
Loss of Confidentiality Patch / RCS
Vendor Verified

- 漏洞描述

- 时间线

1999-09-10 Unknow
Unknow 1999-09-10

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Microsoft has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Microsoft Site Server and CIS Cookie Caching Vulnerability
Race Condition Error 625
Yes No
1999-09-10 12:00:00 2009-07-11 12:56:00
First publicized in Microsoft Security Bullettin MS99-035 released September 10, 1999.

- 受影响的程序版本

Microsoft Site Server Commerce Edition 3.0 i386
+ Hancom Hancom Office 2007 0
- Microsoft BackOffice 4.5
- Microsoft BackOffice 4.5
+ Microsoft Commercial Internet System 2.0
+ Microsoft Site Server Commerce Edition 3.0 alpha
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP3
Microsoft Site Server Commerce Edition 3.0 alpha
- Microsoft BackOffice 4.5
- Microsoft BackOffice 4.5
- Microsoft IIS 4.0
- Microsoft Windows NT 4.0
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6a
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP6
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP5
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP4
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Enterprise Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6a
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP6
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP5
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP4
- Microsoft Windows NT Server 4.0 SP3
- Microsoft Windows NT Server 4.0 SP3
Microsoft Commercial Internet System 2.5
Microsoft Commercial Internet System 2.0

- 漏洞讨论

Some versions of Site Server and Commercial Internet System will send pages that set a cookie without flagging the page with an expiration header. If a web proxy caches the page, the next user to access that page through the same proxy will receive the same Set Cookie header. The second and subsequent users to do so may view personal or private information belonging to the first user if the cookies are part of an authentication scheme.

- 漏洞利用

Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 解决方案

Microsoft has released a patch that fixes this issue. It is available at:
ftp://ftp.microsoft.com/bussys/sitesrv/sitesrv-public/fixes/usa/siteserver3/Hotfixes-PostSP2/ProxyCache/

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站