CVE-2001-1107
CVSS5.0
发布时间 :2001-07-26 00:00:00
修订时间 :2008-09-05 16:25:42
NMCOES    

[原文]SnapStream PVS 1.2a stores its passwords in plaintext in the file SSD.ini, which could allow a remote attacker to gain privileges on the server.


[CNNVD]Snapstream PVS 密码明文漏洞(CNNVD-200107-181)

        CVE(CAN) ID: CAN-2001-1107
        
        
        
        Snapstream Personal Video Station是Windows平台下的软件,用于在自己的PC机上录
        
        制视频输出,然后在本地或通过HTTP接口观看。Snapstream PVS的Web接口运行在端口
        
        8129上。
        
        
        
        PVS把用户信息和密码明文存在文本文件中,利用PVS的目录遍历漏洞,我们可以获取这
        
        些重要信息,为进一步攻击创造条件。
        
        
        
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1107
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-1107
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200107-181
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/static/6917.php
(VENDOR_ADVISORY)  XF  snapstream-dot-directory-traversal(6917)
http://www.securityfocus.com/bid/3101
(VENDOR_ADVISORY)  BID  3101
http://discuss.snapstream.com/ubb/Forum1/HTML/000216.html
(UNKNOWN)  CONFIRM  http://discuss.snapstream.com/ubb/Forum1/HTML/000216.html
http://archives.neohapsis.com/archives/bugtraq/2001-07/0606.html
(VENDOR_ADVISORY)  BUGTRAQ  20010726 Snapstream PVS vulnerability

- 漏洞信息

Snapstream PVS 密码明文漏洞
中危 设计错误
2001-07-26 00:00:00 2005-10-20 00:00:00
远程  
        CVE(CAN) ID: CAN-2001-1107
        
        
        
        Snapstream Personal Video Station是Windows平台下的软件,用于在自己的PC机上录
        
        制视频输出,然后在本地或通过HTTP接口观看。Snapstream PVS的Web接口运行在端口
        
        8129上。
        
        
        
        PVS把用户信息和密码明文存在文本文件中,利用PVS的目录遍历漏洞,我们可以获取这
        
        些重要信息,为进一步攻击创造条件。
        
        
        
        

- 公告与补丁

        
        
        厂商补丁:
        
        
        
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商
        
        的主页以获取最新版本:
        
        
        http://www.snapstream.com/products/sspvs/Default.htm

        

- 漏洞信息 (21035)

Snapstream PVS 1.2 Plaintext Password Vulnerability (EDBID:21035)
windows remote
2001-07-26 Verified
0 John
N/A [点击下载]
source: http://www.securityfocus.com/bid/3101/info

Snapstream Personal Video Station is an application for Microsoft Windows which allows users to record video output on their PC and view it at a later time, locally or via an HTTP interface. The Snapstream PVS web interface runs on port 8129.

The PVS service stores passwords and user information in plaintext format. Additional information is also contained in the same file which stores passwords, such as the location of the base directory for the service.

This would normally only be a local issue but in combination with other known vulnerabilities the file which stores passwords and user information is easily obtained.

Due to the issue discussed as Bugtraq ID 3100, the passwords can be disclosed to remote attackers. 

http://home.victim.com:8080/../ssd.ini 		

- 漏洞信息

1913
Snapstream Personal Video Station (PVS) ssd.ini Cleartext Password Storage
Remote / Network Access Cryptographic, Information Disclosure
Loss of Confidentiality, Loss of Integrity
Exploit Public

- 漏洞描述

SnapStream PVS contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when the ssd.ini file is leaked, which will disclose plaintext passwords resulting in a loss of confidentiality and integrity.

- 时间线

2001-07-26 Unknow
2001-07-26 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Snapstream PVS Plaintext Password Vulnerability
Design Error 3101
Yes No
2001-07-26 12:00:00 2009-07-11 06:56:00
This vulnerability was submitted to BugTraq on July 26th, 2001 by <john@interrorem.com>.

- 受影响的程序版本

Snapstream Personal Video Station 1.2 a

- 漏洞讨论

Snapstream Personal Video Station is an application for Microsoft Windows which allows users to record video output on their PC and view it at a later time, locally or via an HTTP interface. The Snapstream PVS web interface runs on port 8129.

The PVS service stores passwords and user information in plaintext format. Additional information is also contained in the same file which stores passwords, such as the location of the base directory for the service.

This would normally only be a local issue but in combination with other known vulnerabilities the file which stores passwords and user information is easily obtained.

Due to the issue discussed as Bugtraq ID 3100, the passwords can be disclosed to remote attackers.

- 漏洞利用

This example was submitted by &lt;john@interrorem.com&gt;:

http://home.victim.com:8080/../ssd.ini

- 解决方案

Currently the SecurityFocus staff are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站