CVE-2001-1120
CVSS6.4
发布时间 :2001-07-11 00:00:00
修订时间 :2008-09-05 16:25:44
NMCOS    

[原文]Vulnerabilities in ColdFusion 2.0 through 4.5.1 SP 2 allow remote attackers to (1) read or delete arbitrary files, or (2) overwrite ColdFusion Server templates.


[CNNVD]Allaire ColdFusion 允许未经授权的文件访问(CNNVD-200107-069)

        CVE(CAN) ID: CAN-2001-1120
        
        
        
        Allaire ColdFusion 是Macromedia 公司开发的一款web应用服务器软件。
        
        
        
        Allaire ColdFusion 2 到4.5.1 SP2版本存在一个安全问题,允许攻击者读取或者删除
        
        Allaire ColdFusion服务器上的任意文件。这可能导致泄漏敏感信息或者数据丢失。
        
        
        
        

- CVSS (基础分值)

CVSS分值: 6.4 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:allaire:coldfusion_server:4.0
cpe:/a:allaire:coldfusion_server:4.5
cpe:/a:allaire:coldfusion_server:4.5.1_sp1
cpe:/a:allaire:coldfusion_server:2.0
cpe:/a:allaire:coldfusion_server:4.5.1
cpe:/a:allaire:coldfusion_server:3.0.1
cpe:/a:allaire:coldfusion_server:3.1.2
cpe:/a:allaire:coldfusion_server:3.1
cpe:/a:allaire:coldfusion_server:3.0
cpe:/a:allaire:coldfusion_server:4.5.1_sp2
cpe:/a:allaire:coldfusion_server:4.0.1
cpe:/a:allaire:coldfusion_server:3.1.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1120
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-1120
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200107-069
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/135531
(UNKNOWN)  CERT-VN  VU#135531
http://xforce.iss.net/static/6839.php
(VENDOR_ADVISORY)  XF  coldfusion-unauthorized-file-access(6839)
http://www.securityfocus.com/bid/3018
(VENDOR_ADVISORY)  BID  3018
http://www.securityfocus.com/archive/1/196452
(VENDOR_ADVISORY)  BUGTRAQ  20010712 New Cold Fusion vulnerability
http://www.allaire.com/handlers/index.cfm?id=21566
(UNKNOWN)  CONFIRM  http://www.allaire.com/handlers/index.cfm?id=21566

- 漏洞信息

Allaire ColdFusion 允许未经授权的文件访问
中危 未知
2001-07-11 00:00:00 2005-10-20 00:00:00
远程  
        CVE(CAN) ID: CAN-2001-1120
        
        
        
        Allaire ColdFusion 是Macromedia 公司开发的一款web应用服务器软件。
        
        
        
        Allaire ColdFusion 2 到4.5.1 SP2版本存在一个安全问题,允许攻击者读取或者删除
        
        Allaire ColdFusion服务器上的任意文件。这可能导致泄漏敏感信息或者数据丢失。
        
        
        
        

- 公告与补丁

        
        
        厂商补丁:
        
        
        
        Allaire 已经提供了针对ColdFusion 2到4.5.1 SP2的补丁程序:
        
        
        
        Windows系统 :
        
        
        http://a725.g.akamai.net/7/725/3564/v002/download.macromedia.com/publicdl/update/en/coldfusion/45/CFMPSB0107Windows.exe

        
        注意,在Windows系统下安装补丁前,需要先安装MSVCRT 6.0 库:
        
        
        http://a725.g.akamai.net/7/725/3564/v002/download.macromedia.com/publicdl/update/en/coldfusion/45/MFCRuntime.exe

        
        
        
        Solaris系统:
        
        
        http://a725.g.akamai.net/7/725/3564/v002/download.macromedia.com/publicdl/update/en/coldfusion/45/CFMPSB0107Solaris.tar.gz

        
        
        
        Linux系统:
        
        
        http://a725.g.akamai.net/7/725/3564/v002/download.macromedia.com/publicdl/update/en/coldfusion/45/CFMPSB0107Linux.tar.gz

        
        
        
        HPUX系统:
        
        
        http://a725.g.akamai.net/7/725/3564/v002/download.macromedia.com/publicdl/update/en/coldfusion/45/CFMPSB0107HPUX.tar.gz

        
        
        
        您也可以升级到Allaire ColdFusion 5或者更新版本。
        
        
        

- 漏洞信息

10495
ColdFusion Unspecified Arbitrary File Modification

- 漏洞描述

Unknown or Incomplete

- 时间线

2001-07-11 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Allaire ColdFusion Unauthorized File Access Vulnerability
Unknown 3018
Yes No
2001-07-11 12:00:00 2009-07-11 06:56:00
This vulnerability was submitted to BugTraq in a Macromedia Product Security Bulletin on July 11th, 2001.

- 受影响的程序版本

Allaire ColdFusion Server 4.5.1 SP2
Allaire ColdFusion Server 4.5.1 SP1
Allaire ColdFusion Server 4.5.1
Allaire ColdFusion Server 4.5
- Cobalt Linux 5.0
- Cobalt Linux 5.0
- HP HP-UX 11.0
- HP HP-UX 11.0
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 98
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0
- RedHat Linux 7.0
- RedHat Linux 7.0
- S.u.S.E. Linux 7.0
- S.u.S.E. Linux 7.0
- Sun Solaris 8_sparc
- Sun Solaris 8_sparc
Allaire ColdFusion Server 4.0.1
Allaire ColdFusion Server 4.0
Allaire ColdFusion Server 3.1.2
Allaire ColdFusion Server 3.1.1
Allaire ColdFusion Server 3.1
Allaire ColdFusion Server 3.0.1
Allaire ColdFusion Server 3.0
Allaire ColdFusion Server 2.0
Allaire ColdFusion Server 5.0
- Cobalt Linux 5.0
- HP HP-UX 11.0
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- RedHat Linux 7.0
- S.u.S.E. Linux 7.0
- Sun Solaris 8_sparc

- 不受影响的程序版本

Allaire ColdFusion Server 5.0
- Cobalt Linux 5.0
- HP HP-UX 11.0
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- RedHat Linux 7.0
- S.u.S.E. Linux 7.0
- Sun Solaris 8_sparc

- 漏洞讨论

Allaire ColdFusion is a web application server. It supports quick development, publication and management of web content.

A security issue is known to exist with Allaire ColdFusion.
This issue allows attackers to read or delete arbitrary files on the vulnerable host. Disclosure of confidential information or loss of data may occur.

This issue may be exploitable by remote attackers who have access to the host.

At this point, very little is known about the nature of this vulnerability. Updates will be published as more information becomes available.

- 漏洞利用

Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 解决方案

It has been reported that if MSVCRT 6.0 runtime files are not installed before applying the patch, server functionality may be affected. Please see the credit section for more details.

The vendor has released patches which address this issue. Please read the FAQ for instructions on how to install the patches:

http://www.allaire.com/handlers/index.cfm?id=21579

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站