发布时间 :2000-12-11 00:00:00
修订时间 :2008-09-10 15:06:32

[原文]Netscape (iPlanet) Certificate Management System 4.2 and Directory Server 4.12 stores the administrative password in plaintext, which could allow local and possibly remote attackers to gain administrative privileges on the server.

[CNNVD]Netscape (iPlanet)证书管理系统和目录服务器漏洞(CNNVD-200012-062)

        Netscape (iPlanet)证书管理系统4.2版本和目录服务器4.12版本以明文的形式存储管理员密码,本地以及可能远程攻击者可以获取服务器上的管理特权。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:netscape:directory_server:4.12Netscape Netscape Directory Server 4.12
cpe:/a:sun:iplanet_certificate_management_system:4.2Sun - Netscape Alliance iPlanet Certificate Management System 4.2

- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(VENDOR_ADVISORY)  XF  iplanet-netscape-plaintext-password
(UNKNOWN)  BUGTRAQ  20001026 [CORE SDI ADVISORY] iPlanet Certificate Management System 4.2 path traversal bug

- 漏洞信息

Netscape (iPlanet)证书管理系统和目录服务器漏洞
危急 未知
2000-12-11 00:00:00 2006-09-20 00:00:00
        Netscape (iPlanet)证书管理系统4.2版本和目录服务器4.12版本以明文的形式存储管理员密码,本地以及可能远程攻击者可以获取服务器上的管理特权。

- 公告与补丁


- 漏洞信息

iPlanet CMS Admin Password Stored Cleartext
Local Access Required, Remote / Network Access Cryptographic, Information Disclosure
Loss of Confidentiality, Loss of Integrity
Exploit Public

- 漏洞描述

iPlanet CMS has a flaw that allows a local or remote attacker to obtain the administrative password. The issue is due to the software storing the administrator password plaintext in the admin-serv/config/adm.conf file. Used in conjunction with other vulnerabilities present in this software, a remote attacker could request this file and obtain the password.

- 时间线

2000-10-26 Unknow
2000-10-26 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Sun Microsystems has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者