CVE-1999-0970
CVSS5.0
发布时间 :1999-06-05 00:00:00
修订时间 :2008-09-09 08:36:15
NMCOES    

[原文]The OmniHTTPD visadmin.exe program allows a remote attacker to conduct a denial of service via a malformed URL which causes a large number of temporary files to be created.


[CNNVD]OmniHTTPd的visadmin.exe拒绝服务漏洞(CNNVD-199906-010)

        
        OmniHTTPd是Omnicron公司开发的一个Web服务器程序,运行在Windows平台上。
        低版本的OmniHTTPd的一个远程管理组件存在一个设计错误,远程攻击者可能利用此漏洞对服务器程序进行拒绝服务攻击。
        如果在OmniHTTPd Web Server的cgi-bin目录下存在文件visadmin.exe,那么攻击者只要输入下面的命令:
        http://omni.server/cgi-bin/visadmin.exe?user=guest
        数分钟之后服务器的硬盘将会被大量的临时文件撑满,必须手工删除。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0970
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0970
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199906-010
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/static/2271.php
(VENDOR_ADVISORY)  XF  omnihttpd-dos(2271)
http://www.securityfocus.com/bid/1808
(UNKNOWN)  BID  1808
http://www.securityfocus.com/archive/1/14311
(UNKNOWN)  BUGTRAQ  19990605 Remote Exploit (Bug) in OmniHTTPd Web Server

- 漏洞信息

OmniHTTPd的visadmin.exe拒绝服务漏洞
中危 设计错误
1999-06-05 00:00:00 2005-10-20 00:00:00
远程  
        
        OmniHTTPd是Omnicron公司开发的一个Web服务器程序,运行在Windows平台上。
        低版本的OmniHTTPd的一个远程管理组件存在一个设计错误,远程攻击者可能利用此漏洞对服务器程序进行拒绝服务攻击。
        如果在OmniHTTPd Web Server的cgi-bin目录下存在文件visadmin.exe,那么攻击者只要输入下面的命令:
        http://omni.server/cgi-bin/visadmin.exe?user=guest
        数分钟之后服务器的硬盘将会被大量的临时文件撑满,必须手工删除。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 将visadmin.exe从/cgi-bin目录中移出或者删除。
        厂商补丁:
        Omnicron
        --------
        目前厂商已经发布了新版本以修复这个安全问题,请联系厂商获得2.0Alpha 2以上版本:
        
        http://www.omnicron.ca/

- 漏洞信息 (20304)

Omnicron OmniHTTPD 1.1/2.0 Alpha 1 visiadmin.exe Denial of Service Vulnerability (EDBID:20304)
windows dos
1999-06-05 Verified
0 Valentin Perelogin
N/A [点击下载]
source: http://www.securityfocus.com/bid/1808/info

OmniHTTPD is a web-server offered by Omnicron for the MS Windows platform. One of the CGI utilities it ships with and installs by default contains a bug that could, if exploited, lead to a denial of service condition on host it runs on. When the "visiadmin.exe" program is executed via CGI with the argument "user=guest", it creates temporary files until the hard drive fills. The files then need to be manually removed before anything can be written to the disk. The technical reasons for this behaviour are not known.

http://omni.server/cgi-bin/visadmin.exe?user=guest		

- 漏洞信息

231
OmniHTTPd visadmin.exe Malformed URL Handling Remote DoS
Remote / Network Access Denial of Service
Loss of Availability
Exploit Public

- 漏洞描述

- 时间线

1999-06-05 Unknow
1999-06-05 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

OmniHTTPD visiadmin.exe Denial of Service Vulnerability
Design Error 1808
Yes No
1999-06-05 12:00:00 2009-07-11 03:56:00
First posted to Bugtraq by Valentin Perelogin <viktor@parnu.ee> on June 5, 1999.

- 受影响的程序版本

Omnicron OmniHTTPD 2.0 Alpha 1
Omnicron OmniHTTPD 1.1
Omnicron OmniHTTPD 2.0 Alpha 2

- 不受影响的程序版本

Omnicron OmniHTTPD 2.0 Alpha 2

- 漏洞讨论

OmniHTTPD is a web-server offered by Omnicron for the MS Windows platform. One of the CGI utilities it ships with and installs by default contains a bug that could, if exploited, lead to a denial of service condition on host it runs on. When the "visiadmin.exe" program is executed via CGI with the argument "user=guest", it creates temporary files until the hard drive fills. The files then need to be manually removed before anything can be written to the disk. The technical reasons for this behaviour are not known.

- 漏洞利用

http://omni.server/cgi-bin/visadmin.exe?user=guest

- 解决方案

It is believed (though uncomfirmed) that this problem was fixed in the 2.0 Alpha 2 release of Omnicron OmniHTTPD. To be safe it is suggested that the visiadmin.exe program be removed from the cgi-bin directory.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站