CVE-2002-0245
CVSS7.5
发布时间 :2002-05-29 00:00:00
修订时间 :2016-10-17 22:17:34
NMCOS    

[原文]Lotus Domino server 5.0.8 with NoBanner enabled allows remote attackers to (1) determine the physical path of the server via a request for a nonexistent file with a .pl (Perl) extension, which leaks the pathname in the error message, or (2) make any request that causes an HTTP 500 error, which leaks the server's version name in the HTTP error message.


[CNNVD]Lotus Domino Banner信息泄露漏洞(CNNVD-200205-054)

        NoBanner启用的Lotus Domino server 5.0.8存在漏洞。远程攻击者可以(1)借助对不存在文件且扩展名Wie.pl(Perl)的文件的请求确定服务器物理路径,该漏洞会在错误消息中泄露路径名,或(2)执行导致HTTP 500错误的任意请求,该漏洞可能在HTTP错误消息中泄露服务器版本名称。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:lotus:domino:5.0.6a
cpe:/a:lotus:domino:5.0.4a
cpe:/a:lotus:domino:5.0.7a
cpe:/a:lotus:domino:5.0
cpe:/a:lotus:domino:5.0.6
cpe:/a:lotus:domino:5.0.3
cpe:/a:lotus:domino:5.0.5
cpe:/a:lotus:domino:5.0.2
cpe:/a:lotus:domino:5.0.1
cpe:/a:lotus:domino:5.0.8
cpe:/a:lotus:domino:5.0.7
cpe:/a:lotus:domino:5.0.4
cpe:/a:lotus:domino:5.0.9

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0245
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0245
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200205-054
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=101310812804716&w=2
(UNKNOWN)  BUGTRAQ  20020207 Re: KPMG-2002004: Lotus Domino Webserver DOS-device Denial of Service
http://www-1.ibm.com/support/manager.wss?rs=1&rt=0&org=sims&doc=07B32060E4CC97E985256B64005AEB0F
(UNKNOWN)  CONFIRM  http://www-1.ibm.com/support/manager.wss?rs=1&rt=0&org=sims&doc=07B32060E4CC97E985256B64005AEB0F
http://www.iss.net/security_center/static/8160.php
(VENDOR_ADVISORY)  XF  lotus-domino-reveal-information(8160)
http://www.securityfocus.com/bid/4049
(UNKNOWN)  BID  4049

- 漏洞信息

Lotus Domino Banner信息泄露漏洞
高危 设计错误
2002-05-29 00:00:00 2005-10-20 00:00:00
远程  
        NoBanner启用的Lotus Domino server 5.0.8存在漏洞。远程攻击者可以(1)借助对不存在文件且扩展名Wie.pl(Perl)的文件的请求确定服务器物理路径,该漏洞会在错误消息中泄露路径名,或(2)执行导致HTTP 500错误的任意请求,该漏洞可能在HTTP错误消息中泄露服务器版本名称。

- 公告与补丁

        This issue has been addressed in versions 5.09a and later. Those affected are advised to upgrade.
        Lotus Domino 5.0
        
        Lotus Domino 5.0.1
        
        Lotus Domino 5.0.2
        
        Lotus Domino 5.0.3
        
        Lotus Domino 5.0.4 a
        
        Lotus Domino 5.0.4
        
        Lotus Domino 5.0.5
        
        Lotus Domino 5.0.6
        
        Lotus Domino 5.0.6 a
        
        Lotus Domino 5.0.7
        
        Lotus Domino 5.0.7 a
        
        Lotus Domino 5.0.8
        
        Lotus Domino 5.0.9
        

- 漏洞信息

15453
IBM Lotus Domino htcgibin.exe HTTP 500 Error Server Version Disclosure

- 漏洞描述

Unknown or Incomplete

- 时间线

2002-02-07 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Lotus Domino Banner Information Disclosure Vulnerability
Design Error 4049
Yes No
2002-02-07 12:00:00 2009-07-12 05:56:00
Discovered by Nicolas Gregoire <ngregoire@exaprobe.com>.

- 受影响的程序版本

Lotus Domino 5.0.9
Lotus Domino 5.0.8
Lotus Domino 5.0.7 a
Lotus Domino 5.0.7
- HP HP-UX 9.9
- HP HP-UX 9.9
- IBM AIX 4.3
- IBM AIX 4.3
- IBM OS/2 4.5 Warp
- IBM OS/2 4.5 Warp
- IBM OS/390 V2R9
- IBM OS/390 V2R9
- Linux kernel 2.3
- Linux kernel 2.3
- Microsoft Windows 2000 Professional
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0
- Sun Solaris 8_sparc
- Sun Solaris 8_sparc
Lotus Domino 5.0.6 a
Lotus Domino 5.0.6
- HP HP-UX 9.9
- HP HP-UX 9.9
- IBM AIX 4.3
- IBM AIX 4.3
- IBM OS/2 4.5 Warp
- IBM OS/2 4.5 Warp
- IBM OS/390 V2R9
- IBM OS/390 V2R9
- Linux kernel 2.3
- Linux kernel 2.3
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Professional
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0
- Sun Solaris 8_sparc
- Sun Solaris 8_sparc
Lotus Domino 5.0.5
- HP HP-UX 9.9
- HP HP-UX 9.9
- IBM AIX 4.3
- IBM AIX 4.3
- IBM OS/2 4.5 Warp
- IBM OS/2 4.5 Warp
- IBM OS/390 V2R9
- IBM OS/390 V2R9
- Linux kernel 2.3
- Linux kernel 2.3
- Microsoft Windows 2000 Professional
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0
- Sun Solaris 8_sparc
- Sun Solaris 8_sparc
Lotus Domino 5.0.4 a
Lotus Domino 5.0.4
- HP HP-UX 9.9
- HP HP-UX 9.9
- IBM AIX 4.3
- IBM AIX 4.3
- IBM OS/2 4.5 Warp
- IBM OS/2 4.5 Warp
- IBM OS/390 V2R9
- IBM OS/390 V2R9
- Linux kernel 2.3
- Linux kernel 2.3
- Microsoft Windows 2000 Professional
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0
- Sun Solaris 8_sparc
- Sun Solaris 8_sparc
Lotus Domino 5.0.3
- HP HP-UX 9.9
- HP HP-UX 9.9
- IBM AIX 4.3
- IBM AIX 4.3
- IBM OS/2 4.5 Warp
- IBM OS/2 4.5 Warp
- IBM OS/390 V2R9
- IBM OS/390 V2R9
- Linux kernel 2.3
- Linux kernel 2.3
- Microsoft Windows 2000 Professional
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0
- Sun Solaris 8_sparc
- Sun Solaris 8_sparc
Lotus Domino 5.0.2
- HP HP-UX 9.9
- HP HP-UX 9.9
- IBM AIX 4.3
- IBM AIX 4.3
- IBM OS/2 4.5 Warp
- IBM OS/2 4.5 Warp
- IBM OS/390 V2R9
- IBM OS/390 V2R9
- Linux kernel 2.3
- Linux kernel 2.3
- Microsoft Windows 2000 Professional
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0
- Sun Solaris 8_sparc
- Sun Solaris 8_sparc
Lotus Domino 5.0.1
- HP HP-UX 9.9
- HP HP-UX 9.9
- IBM AIX 4.3
- IBM AIX 4.3
- IBM OS/2 4.5 Warp
- IBM OS/2 4.5 Warp
- IBM OS/390 V2R9
- IBM OS/390 V2R9
- Linux kernel 2.3
- Linux kernel 2.3
- Microsoft Windows 2000 Professional
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0
- Sun Solaris 8_sparc
- Sun Solaris 8_sparc
Lotus Domino 5.0
Lotus Domino 5.0.10
Lotus Domino 5.0.9 a

- 不受影响的程序版本

Lotus Domino 5.0.10
Lotus Domino 5.0.9 a

- 漏洞讨论

A vulnerability has been reported in Lotus Domino server, that could allow a malicious user to view the full path to the web root.

Reportedly, if a user submits an HTTP request for a non existent .pl file, the server will return a 500 error page containing the full path of the file. In addition to disclosing path information, system information can be revealed. This was tested on Lotus Domino Server with NoBanner set to 1.

- 漏洞利用

No exploit code is required.

- 解决方案

This issue has been addressed in versions 5.09a and later. Those affected are advised to upgrade.


Lotus Domino 5.0

Lotus Domino 5.0.1

Lotus Domino 5.0.2

Lotus Domino 5.0.3

Lotus Domino 5.0.4 a

Lotus Domino 5.0.4

Lotus Domino 5.0.5

Lotus Domino 5.0.6

Lotus Domino 5.0.6 a

Lotus Domino 5.0.7

Lotus Domino 5.0.7 a

Lotus Domino 5.0.8

Lotus Domino 5.0.9

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站