CVE-2001-0665
CVSS7.5
发布时间 :2001-10-30 00:00:00
修订时间 :2008-09-05 16:24:38
NMCO    

[原文]Internet Explorer 6 and earlier allows remote attackers to cause certain HTTP requests to be automatically executed and appear to come from the user, which could allow attackers to gain privileges or execute operations within web-based services, aka the "HTTP Request Encoding vulnerability."


[CNNVD]Microsoft Internet Explorer HTTP请求编码漏洞(CNNVD-200110-140)

        Internet Explorer 6版本和之前版本存在漏洞。远程攻击者可以导致某些HTTP请求被自动执行并且似乎来自于用户,攻击者还可以借助该漏洞在基于网络的服务内提升特权或执行操作,也称为"HTTP Request Encoding vulnerability"。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0665
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-0665
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200110-140
(官方数据源) CNNVD

- 其它链接及资源

http://www.microsoft.com/technet/security/bulletin/MS01-051.asp
(VENDOR_ADVISORY)  MS  MS01-051
http://xforce.iss.net/static/7259.php
(UNKNOWN)  XF  ie-url-http-requests(7259)
http://www.securityfocus.com/bid/3421
(UNKNOWN)  BID  3421
http://www.osvdb.org/1972
(UNKNOWN)  OSVDB  1972

- 漏洞信息

Microsoft Internet Explorer HTTP请求编码漏洞
高危 输入验证
2001-10-30 00:00:00 2005-10-12 00:00:00
远程  
        Internet Explorer 6版本和之前版本存在漏洞。远程攻击者可以导致某些HTTP请求被自动执行并且似乎来自于用户,攻击者还可以借助该漏洞在基于网络的服务内提升特权或执行操作,也称为"HTTP Request Encoding vulnerability"。

- 公告与补丁

        Microsoft has released a patch which addresses this issue:
        **Note that in order to apply the patches for IE5.01 and IE5.5 you must have Internet Explorer Service Pack 2 installed for each product.
        Microsoft Internet Explorer 5.0.1 SP2
        
        Microsoft Internet Explorer 5.5 SP2
        
        Microsoft Internet Explorer 6.0
        

- 漏洞信息

1972
Microsoft IE HTTP Request Encoding
Remote / Network Access
Loss of Confidentiality, Loss of Integrity

- 漏洞描述

Microsoft Internet Explorer contains a flaw that may allow a malicious user to automatically execute HTTP requests on behalf of the victim. The issue is triggered when the attacker encodes URLs in a specific way and the victim views HTML crafted by the attacker. It is possible that the flaw may allow the attacker to take control of the victim's web-based applications, such as web-based email and online banking.

- 时间线

2001-10-10 Unknow
2001-10-10 Unknow

- 解决方案

Apply the Q306121 hotfix, as it has been reported to fix this vulnerability. The fix for this flaw is also included in IE 5.01 Service Pack 3, IE 5.5 Service Pack 3, and IE 6 Service Pack 1. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站