CVE-2002-0300
CVSS5.0
发布时间 :2002-05-31 00:00:00
修订时间 :2016-10-17 22:18:41
NMCOE    

[原文]gnujsp 1.0.0 and 1.0.1 allows remote attackers to list directories, read source code of certain scripts, and bypass access restrictions by directly requesting the target file from the gnujsp servlet, which does not work around a limitation of JServ and does not process the requested file.


[CNNVD]GNUJSP文件泄露漏洞(CNNVD-200205-110)

        Gnujsp 1.0.0和1.0.1版本存在漏洞。远程攻击者可以通过直接向gnujsp伺服程序请求目标文件来列出目录,读取某些脚本的源代码并绕过访问限制,其中,该伺服程序工作不受Jserv限制,并且不处理请求文件。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:gnujsp:gnujsp:1.0.1
cpe:/a:gnujsp:gnujsp:1.0.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0300
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0300
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200205-110
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=101415804625292&w=2
(UNKNOWN)  BUGTRAQ  20020219 gnujsp: dir- and script-disclosure
http://marc.info/?l=bugtraq&m=101422432123898&w=2
(UNKNOWN)  BUGTRAQ  20020220 Re: gnujsp: dir- and script-disclosure
http://www.debian.org/security/2002/dsa-114
(VENDOR_ADVISORY)  DEBIAN  DSA-114
http://www.iss.net/security_center/static/8240.php
(UNKNOWN)  XF  gnujsp-jserv-information-disclosure(8240)
http://www.securityfocus.com/bid/4125
(UNKNOWN)  BID  4125

- 漏洞信息

GNUJSP文件泄露漏洞
中危 配置错误
2002-05-31 00:00:00 2005-05-02 00:00:00
远程  
        Gnujsp 1.0.0和1.0.1版本存在漏洞。远程攻击者可以通过直接向gnujsp伺服程序请求目标文件来列出目录,读取某些脚本的源代码并绕过访问限制,其中,该伺服程序工作不受Jserv限制,并且不处理请求文件。

- 公告与补丁

        Upgrades are available.
        GNUJSP GNUJSP 1.0 .0
        

- 漏洞信息 (21295)

GNUJSP 1.0 File Disclosure Vulnerability (EDBID:21295)
multiple remote
2002-02-19 Verified
0 Thomas Springer
N/A [点击下载]
source: http://www.securityfocus.com/bid/4125/info

GNUJSP is a freely available, open-source implementation of Sun's Java Server Pages. It will run on most Unix and Linux variants, as well as Microsoft Windows NT/2000 operating systems.

It has been reported that a remote attacker may disclose the contents of directories via a specially crafted web request. This may be exploited to list directories, read the contents of arbitrary web-readable files, and disclose script source code. The attacker simply appends the name of the directory and/or file to be disclosed to a web request for /servlets/gnujsp/.

It should be noted that this may allow an attacker to circumvent .htaccess files.

This issue may be the result of a configuration error. 

http://site/servlets/gnujsp/[dirname]/[file] 		

- 漏洞信息

5323
GNUJSP Direct Servlet Request Parsing Information Disclosure
Remote / Network Access Information Disclosure, Misconfiguration
Loss of Confidentiality Patch / RCS
Exploit Public Third-party Verified

- 漏洞描述

- 时间线

2002-02-19 Unknow
2002-02-19 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, a patch has been released to address this vulnerability.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站