CVE-1999-1440
CVSS5.1
发布时间 :1999-01-01 00:00:00
修订时间 :2016-10-17 22:04:35
NMCOS    

[原文]Win32 ICQ 98a 1.30, and possibly other versions, does not display the entire portion of long filenames, which could allow attackers to send an executable file with a long name that contains so many spaces that the .exe extension is not displayed, which could make the user believe that the file is safe to open from the client.


[CNNVD]Mirabilis ICQ 98a漏洞(CNNVD-199901-007)

        Win32 ICQ 98a 1.30以及可能其他版本中存在漏洞,他们不显示超长文件名的整个部分,攻击者利用该漏洞发送一个包含一个超长名字的可执行文件,这些文件包含了许多.exe扩展名不显示的空格,这将导致用户相信客户端的文件可安全打开。

- CVSS (基础分值)

CVSS分值: 5.1 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-1440
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-1440
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199901-007
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=91522424302962&w=2
(UNKNOWN)  BUGTRAQ  19990101 Win32 ICQ 98a flaw
http://www.securityfocus.com/bid/132
(UNKNOWN)  BID  132

- 漏洞信息

Mirabilis ICQ 98a漏洞
中危 其他
1999-01-01 00:00:00 2005-10-20 00:00:00
远程  
        Win32 ICQ 98a 1.30以及可能其他版本中存在漏洞,他们不显示超长文件名的整个部分,攻击者利用该漏洞发送一个包含一个超长名字的可执行文件,这些文件包含了许多.exe扩展名不显示的空格,这将导致用户相信客户端的文件可安全打开。

- 公告与补丁

        Disable the option to automatically open associated files.

- 漏洞信息

7966
ICQ Truncated Long File Display

- 漏洞描述

Unknown or Incomplete

- 时间线

1999-01-01 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Mirabilis ICQ 98a Vulnerability
Failure to Handle Exceptional Conditions 132
Yes No
1999-01-01 12:00:00 2009-07-11 12:16:00
Justin Clift Digital Distribution www.digitaldistribution.com

- 受影响的程序版本

Mirabilis ICQ 98.0 a
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows NT Enterprise Server 4.0

- 漏洞讨论

A vulnerability exists within the Mirabilis ICQ 98a which allows an attacker to send a file with a malformed name. For example, sending a file to a victim with the name:

"picture.jpg
.exe"

the user receiving the file will only see the "picture.jpg" file and not the ".exe" extension and assume it is a harmless JPG graphic. If they choose to open it automatically with its associated extension (.exe) the file can be executed and an attacker to execute arbitrary code such as a trojan.

- 漏洞利用

Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com.

- 解决方案

Disable the option to automatically open associated files.

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站