CVE-2001-0519
CVSS7.5
发布时间 :2001-08-14 00:00:00
修订时间 :2008-09-05 16:24:18
NMCOE    

[原文]Aladdin eSafe Gateway versions 2.x allows a remote attacker to circumvent HTML SCRIPT filtering via a special arrangement of HTML tags which includes SCRIPT tags embedded within other SCRIPT tags.


[CNNVD]Aladdin eSafe Gateway过滤绕过漏洞(CNNVD-200108-057)

        Aladdin eSafe Gateway 2.x版本存在漏洞。远程攻击者可以借助含被嵌入在其他SCRIPT标签内的SCRIPT标签的HTML标签特殊参数来绕过HTML SCRIPT过滤。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0519
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0519
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200108-057
(官方数据源) CNNVD

- 其它链接及资源

http://archives.neohapsis.com/archives/bugtraq/2001-05/0282.html
(VENDOR_ADVISORY)  BUGTRAQ  20010529 Aladdin eSafe Gateway Filter Bypass - Updated Advisory
http://xforce.iss.net/static/6580.php
(VENDOR_ADVISORY)  XF  esafe-gateway-bypass-filtering(6580)

- 漏洞信息

Aladdin eSafe Gateway过滤绕过漏洞
高危 未知
2001-08-14 00:00:00 2007-05-14 00:00:00
远程  
        Aladdin eSafe Gateway 2.x版本存在漏洞。远程攻击者可以借助含被嵌入在其他SCRIPT标签内的SCRIPT标签的HTML标签特殊参数来绕过HTML SCRIPT过滤。

- 公告与补丁

        

- 漏洞信息 (20890)

Aladdin Knowledge Systems eSafe Gateway 3.0 HTML tag Script-filtering Bypass Vulnerability (EDBID:20890)
multiple remote
2001-05-29 Verified
0 eDvice Security Services
N/A [点击下载]
source: http://www.securityfocus.com/bid/2800/info

eSafe Gateway is a security utility used for filtering internet content.

It is possible to craft an html file that slips through eSafe Gateway's script filtering feature. eSafe Gateway will ignore scripting commands that are embedded in any html tags that allow it. This causes eSafe Gateway to generate filtered html that still includes potentially dangerous scripting functions. 

For example, the following potentially harmful script will go
undetected by eSafe, even if the "remove all scripts" option is enabled:


<A HREF="javascript:var fso = new
ActiveXObject('Scripting.FileSystemObject');var a =
fso.CreateTextFile('c:\\testfile2.txt', true);a.WriteLine('This is a
test.');a.Close();">Click here</A>

HREF is not the only tag ignored. Any tag capable of containing scripting
command will not be filtered by eSafe. For example:

<BODY onload="alert('hi');"> 		

- 漏洞信息

7639
Aladdin eSafe Gateway Nested SCRIPT Tag Filtering Bypass
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

- 时间线

2001-05-21 Unknow
2001-05-21 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站