CVE-2000-0853
CVSS5.0
发布时间 :2000-11-14 00:00:00
修订时间 :2008-09-05 16:22:02
NMCOE    

[原文]YaBB Bulletin Board 9.1.2000 allows remote attackers to read arbitrary files via a .. (dot dot) attack.


[CNNVD]YABB远程文件泄露漏洞(CNNVD-200011-062)

        
        YaBB.pl是一个基于Web的公告牌脚本程序。
        YaBB.pl它将公告牌中的文章存放在编号的文本文件中。编号的文件名是在调用YaBB.pl时通过变量num=来指定的。在检索该文件之前,YaBB在后面添加一个后缀.txt。
        由于YaBB中的输入合法性检查错误,在中可以指定相对路径。这包括../类型的路径。此外,可以不是数字格式,而且.txt后缀可以通过在后面添加%00来避免。通过在单个请求中使用上述的这些漏洞,恶意用户可以察看Web服务器可以存取的任何文件。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0853
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0853
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200011-062
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/1668
(VENDOR_ADVISORY)  BID  1668
http://xforce.iss.net/static/5254.php
(VENDOR_ADVISORY)  XF  yabb-file-access
http://archives.neohapsis.com/archives/bugtraq/2000-09/0072.html
(VENDOR_ADVISORY)  BUGTRAQ  20000909 YaBB 1.9.2000 Vulnerabilitie

- 漏洞信息

YABB远程文件泄露漏洞
中危 未知
2000-11-14 00:00:00 2005-07-26 00:00:00
远程  
        
        YaBB.pl是一个基于Web的公告牌脚本程序。
        YaBB.pl它将公告牌中的文章存放在编号的文本文件中。编号的文件名是在调用YaBB.pl时通过变量num=来指定的。在检索该文件之前,YaBB在后面添加一个后缀.txt。
        由于YaBB中的输入合法性检查错误,在中可以指定相对路径。这包括../类型的路径。此外,可以不是数字格式,而且.txt后缀可以通过在后面添加%00来避免。通过在单个请求中使用上述的这些漏洞,恶意用户可以察看Web服务器可以存取的任何文件。
        

- 公告与补丁

        厂商补丁:
        YaBB
        ----
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        YaBB Upgrade YaBB 9.11.2000
        
        http://www.yabb.org/download/yabb.zip

- 漏洞信息 (20218)

YaBB 9.1.2000 Arbitrary File Read Vulnerability (EDBID:20218)
cgi remote
2000-09-10 Verified
0 pestilence
N/A [点击下载]
source: http://www.securityfocus.com/bid/1668/info

YaBB.pl, a web-based bulletin board script, stores board postings in numbered text files. The numbered file name is specified in the call to YaBB.pl in the variable num=<file>. Before retrieving the file, YaBB will append a .txt extension to <file>.

Due to input validation problems in YaBB, relative paths can be specified in <file>. This includes ../ style paths.

Additionally, <file> does not need to be numerical, and the .txt extension can be avoided by appending %00 to <file>.

By exploiting these problems in a single request, a malicious user can view any file that the webserver has access to.

http://www.my_target.com/cgi-bin/YaBB.pl?board=news&action=display&num=../../../../../../../../etc/passwd%00		

- 漏洞信息

411
YaBB YaBB.pl num Parameter Traversal Arbitrary File Access
Remote / Network Access Information Disclosure
Loss of Confidentiality Upgrade
Exploit Public Third-party Verified

- 漏洞描述

YaBB contains a flaw that may allow a remote attacker to execute arbitrary commands or code. The issue is due to the 'YaBB.pl' script not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied to the 'num' parameter. This may allow an attacker to include a file from the targeted host that contains arbitrary commands or code that will be executed by the vulnerable script. Such attacks are limited due to the script only calling files already on the target host. In addition, this flaw can potentially be used to disclose the contents of any file on the system accessible by the web server.

- 时间线

2000-09-09 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 9.11.2000 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站