CVE-2002-0307
CVSS7.5
发布时间 :2002-05-31 00:00:00
修订时间 :2016-10-17 22:18:49
NMCOS    

[原文]Directory traversal vulnerability in ans.pl in Avenger's News System (ANS) 2.11 and earlier allows remote attackers to determine the existence of arbitrary files or execute any Perl program on the system via a .. (dot dot) in the p parameter, which reads the target file and attempts to execute the line using Perl's eval function.


[CNNVD]Avenger's News System目录遍历漏洞(CNNVD-200205-124)

        
        Avenger's News System (ANS)是用Perl编写的基于表单的WEB更新、管理工具,可运行于绝大多数Unix/Linux系统上。
        ANS没有过滤URL请求中的"../",容易遭受目录遍历攻击,导致任意WEB Server进程有权读取的文件内容泄漏。
        在ANS的配置文件中定义了$QUERY变量
        "$ENV{'QUERY_STRING'}"
        ANS实现中存在如下代码处理URL POST请求
         if (substr($QUERY, 0, 2) eq "p=")
         {
         $plugin = substr((split /&/, $QUERY)[0], 2);
         if (index("$QUERY", "&") < 0) { $QUERY = ""; }
         else { $QUERY = substr($QUERY, index("$QUERY",
        "&")+1); }
         open (PLUGIN, "$FILE_LOCATION/$plugin");
         @plugin = ;
         close (PLUGIN);
         eval("@plugin");
         exit;
         }
        注意到这里未对用户输入做"../"过滤。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:avengers_news_system:avengers_news_system:2.11
cpe:/a:avengers_news_system:avengers_news_system:2.01

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0307
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0307
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200205-124
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=101430868616112&w=2
(UNKNOWN)  BUGTRAQ  20020221 "Cthulhu xhAze" - Command execution in Ans.pl
http://www.securityfocus.com/bid/4147
(UNKNOWN)  BID  4147

- 漏洞信息

Avenger's News System目录遍历漏洞
高危 输入验证
2002-05-31 00:00:00 2006-06-15 00:00:00
远程  
        
        Avenger's News System (ANS)是用Perl编写的基于表单的WEB更新、管理工具,可运行于绝大多数Unix/Linux系统上。
        ANS没有过滤URL请求中的"../",容易遭受目录遍历攻击,导致任意WEB Server进程有权读取的文件内容泄漏。
        在ANS的配置文件中定义了$QUERY变量
        "$ENV{'QUERY_STRING'}"
        ANS实现中存在如下代码处理URL POST请求
         if (substr($QUERY, 0, 2) eq "p=")
         {
         $plugin = substr((split /&/, $QUERY)[0], 2);
         if (index("$QUERY", "&") < 0) { $QUERY = ""; }
         else { $QUERY = substr($QUERY, index("$QUERY",
        "&")+1); }
         open (PLUGIN, "$FILE_LOCATION/$plugin");
         @plugin = ;
         close (PLUGIN);
         eval("@plugin");
         exit;
         }
        注意到这里未对用户输入做"../"过滤。
        

- 公告与补丁

        临时解决方法:
        "b0iler _" (b0iler@hotmail.com)建议您采取以下措施以降低威胁:
        * 把程序中的以下代码:
         if (substr($QUERY, 0, 2) eq "p=")
         {
         $plugin = substr((split /&/, $QUERY)[0], 2);
         if (index("$QUERY", "&") < 0) { $QUERY = ""; }
         else { $QUERY = substr($QUERY, index("$QUERY",
        "&")+1); }
         open (PLUGIN, "$FILE_LOCATION/$plugin");
         @plugin = ;
         close (PLUGIN);
         eval("@plugin");
         exit;
         }
        改为:
        if (substr($QUERY, 0, 2) eq "p="){
         $QUERY =~ s/([\&;\`'\\\|"*?~<>^\(\)\[\]\{\}\$\n\r])/\\$1/g; # 过滤某些转义字符
        $QUERY =~ s/\.\.//g; #filter double dot (..)
         $plugin = substr((split /&/, $QUERY)[0], 2);
         if (index("$QUERY", "&") < 0) { $QUERY = ""; }
         else { $QUERY = substr($QUERY, index("$QUERY", "&")+1); }
         open (PLUGIN, "<$FILE_LOCATION/$plugin"); #added a < to the open() -
        readonly
         @plugin = ;
         close (PLUGIN);
         eval("@plugin");
         exit;
        }
        厂商补丁:
        Avenger
        -------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://ans.gq.nu/

- 漏洞信息

724
Avenger's News System Traversal Arbitrary Command Execution
Input Manipulation
Loss of Integrity Patch / RCS
Vendor Verified

- 漏洞描述

This host is running the 'Avenger's News System' (ANS). ANS is a web content management solution written in Perl. The ANS is vulnerable to an arbitrary command execution attack. An attacker can use this to gain access to this host.

- 时间线

2002-02-21 Unknow
Unknow Unknow

- 解决方案

The vendor has released a patch that fixes this issue. Please upgrade to the latest version of 'ANS' available from http://ans.gq.nu/.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Avenger's News System Directory Traversal Vulnerability
Input Validation Error 4147
Yes No
2002-02-21 12:00:00 2009-07-11 10:56:00
This issue was submitted to BugTraq on February 21st, 2002 by "b0iler _" <b0iler@hotmail.com>.

- 受影响的程序版本

Avenger's News System Avenger's News System 2.1 1
- Apache Software Foundation Apache 1.3.22
- Apache Software Foundation Apache 1.3.20
- Apache Software Foundation Apache 1.3.19
- Apache Software Foundation Apache 1.3.18
- Apache Software Foundation Apache 1.3.17
Avenger's News System Avenger's News System 2.0 1
- Apache Software Foundation Apache 1.3.22
- Apache Software Foundation Apache 1.3.20
- Apache Software Foundation Apache 1.3.19
- Apache Software Foundation Apache 1.3.18
- Apache Software Foundation Apache 1.3.17

- 漏洞讨论

Avenger's News System (ANS) is a simple form-based web site management tool written in Perl. It will run on most Unix and Linux variants.

ANS does not filter dot-dot-slash (../) sequences from web requests, making it prone to directory traversal attacks. As a result, the attacker may display the contents of arbitrary web-readable files.

Information disclosed in this manner may aid the attacker in further "intelligent" attacks against the host.

- 漏洞利用

This issue may be exploited with a web browser.

- 解决方案

Currently the SecurityFocus staff are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站