CVE-2000-1177
CVSS5.0
发布时间 :2001-01-09 00:00:00
修订时间 :2008-09-05 16:22:50
NMCOES    

[原文]bb-hist.sh, bb-histlog.sh, bb-hostsvc.sh, bb-rep.sh, bb-replog.sh, and bb-ack.sh in Big Brother (BB) before 1.5d3 allows remote attackers to determine the existence of files and user ID's by specifying the target file in the HISTFILE parameter.


[CNNVD]BB4 Big Brother多个CGI漏洞(CNNVD-200101-094)

        Big Brother (BB) 1.5d3之前版本的bb-hist.sh,bb-histlog.sh,bb-hostsvc.sh,bb-rep.sh,bb-replog.sh和bb-ack.sh存在漏洞。远程攻击者可以通过指定HISTFILE参数中的目标文件来确定文件和用户ID的存在。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1177
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-1177
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200101-094
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/1971
(VENDOR_ADVISORY)  BID  1971
http://archives.neohapsis.com/archives/bugtraq/2000-11/0284.html
(VENDOR_ADVISORY)  BUGTRAQ  20001121 Big Brother Advisory - Fate Research Labs
http://bb4.com/incident.nov21
(UNKNOWN)  CONFIRM  http://bb4.com/incident.nov21

- 漏洞信息

BB4 Big Brother多个CGI漏洞
中危 输入验证
2001-01-09 00:00:00 2005-10-20 00:00:00
远程  
        Big Brother (BB) 1.5d3之前版本的bb-hist.sh,bb-histlog.sh,bb-hostsvc.sh,bb-rep.sh,bb-replog.sh和bb-ack.sh存在漏洞。远程攻击者可以通过指定HISTFILE参数中的目标文件来确定文件和用户ID的存在。

- 公告与补丁

        Patches available:
        BB4 Big Brother Network Monitor 1.5 d2
        

- 漏洞信息 (20413)

BB4 Big Brother Network Monitor 1.5 d2 bb-hist.sh HISTFILE Parameter File Existence Disclosure (EDBID:20413)
unix remote
2000-11-20 Verified
0 f8 Research Labs
N/A [点击下载]
source : http://www.securityfocus.com/bid/1971/info

Big Brother Network Monitor is a robust, feature rich network monitoring package produced by BB4 Technologies. A problem exists that can allow remote account guessing.

The problem occurs in the Common Gateway Interface package included with Big Brother, which runs on the Big Brother Display Server. The CGI is responsible for statistical posting of network operations on the Big Brother Display Server, an interface which is accessible via Web Browser. Due to insufficient handling of input, it is possible to verify the existance of sensitive files and valid user accounts through the the CGI of the Display Server. Yielding this information to a malicious user could result in a targeted brute force password cracking attack.

The following files are affected by this flaw:

bb-hist.sh
bb-histlog.sh
bb-hostsvc.sh 
bb-rep.sh 
bb-replog.sh 
bb-ack.sh

http://www.victim.com/cgi-bin/bb-hist.sh?HISTFILE=/home/*		

- 漏洞信息

9438
Big Brother bb-hist.sh HISTFILE Parameter File Existence Disclosure
Remote / Network Access Input Manipulation
Loss of Confidentiality Upgrade
Vendor Verified

- 漏洞描述

- 时间线

2000-11-21 Unknow
2000-11-21 Unknow

- 解决方案

Upgrade to version 1.5d3 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

BB4 Big Brother Multiple CGI Vulnerabilities
Input Validation Error 1971
Yes No
2000-11-20 12:00:00 2009-07-11 03:56:00
This vulnerability was first announced by Loki in a f8 Research Labs Advisory posted to BugTraq on November 20, 2000.

- 受影响的程序版本

BB4 Big Brother Network Monitor 1.5 d2
- FreeBSD FreeBSD 4.2
- HP HP-UX 11.11
- Mandriva Linux Mandrake 7.2
- NetBSD NetBSD 1.4.2
- OpenBSD OpenBSD 2.8
- RedHat Linux 7.0
- S.u.S.E. Linux 7.0
- Sun Solaris 8_sparc

- 漏洞讨论

Big Brother Network Monitor is a robust, feature rich network monitoring package produced by BB4 Technologies. A problem exists that can allow remote account guessing.

The problem occurs in the Common Gateway Interface package included with Big Brother, which runs on the Big Brother Display Server. The CGI is responsible for statistical posting of network operations on the Big Brother Display Server, an interface which is accessible via Web Browser. Due to insufficient handling of input, it is possible to verify the existance of sensitive files and valid user accounts through the the CGI of the Display Server. Yielding this information to a malicious user could result in a targeted brute force password cracking attack.

The following files are affected by this flaw:

bb-hist.sh
bb-histlog.sh
bb-hostsvc.sh
bb-rep.sh
bb-replog.sh
bb-ack.sh

- 漏洞利用

http://www.victim.com/cgi-bin/bb-hist.sh?HISTFILE=/home/*

history Mon Nov 20 22:07:25 EST 2000

Error reading history file [adam]

- 解决方案

Patches available:


BB4 Big Brother Network Monitor 1.5 d2

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站