CVE-2002-0346
CVSS7.5
发布时间 :2002-06-25 00:00:00
修订时间 :2016-10-17 22:19:36
NMCOS    

[原文]Cross-site scripting vulnerability in Cobalt RAQ 4 allows remote attackers to execute arbitrary script as other Cobalt users via Javascript in a URL to (1) service.cgi or (2) alert.cgi.


[CNNVD]Sun Cobalt RaQ Service.CGI跨站执行脚本漏洞(CNNVD-200206-099)

        Cobalt RAQ 4版本中存在跨站脚本漏洞。远程攻击者利用该漏洞通过URL中的Javascript传送到(1)service.cgi或(2)alert.cgi,执行任意脚本。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/h:sun:cobalt_raq_3iSun Cobalt RaQ 3.0
cpe:/h:sun:cobalt_raq_4Sun Cobalt RaQ 4.0
cpe:/h:sun:cobalt_raq_2Sun Cobalt RaQ 2.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0346
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0346
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200206-099
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=101495944202452&w=2
(UNKNOWN)  BUGTRAQ  20020228 Colbalt-RAQ-v4-Bugs&Vulnerabilities
http://www.iss.net/security_center/static/8321.php
(VENDOR_ADVISORY)  XF  cobalt-raq-css(8321)
http://www.securityfocus.com/bid/4211
(VENDOR_ADVISORY)  BID  4211

- 漏洞信息

Sun Cobalt RaQ Service.CGI跨站执行脚本漏洞
高危 输入验证
2002-06-25 00:00:00 2012-11-30 00:00:00
远程  
        Cobalt RAQ 4版本中存在跨站脚本漏洞。远程攻击者利用该漏洞通过URL中的Javascript传送到(1)service.cgi或(2)alert.cgi,执行任意脚本。

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 可以删除service.cgi、alert.cgi,或者禁止其执行。
        * Peter N. Go (peter@arachinc.com)建议修改service.cgi,过滤来自用户输入的HTML
        tags,在
        my $service = $q->param('service');
        之后增加如下代码
        $service =~ s/<([^>])*>//g;
        厂商补丁:
        Sun
        ---
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.sun.com

- 漏洞信息

9283
Cobalt RAQ service.cgi XSS
Remote / Network Access Input Manipulation
Loss of Integrity Solution Unknown

- 漏洞描述

- 时间线

2002-02-28 Unknow
Unknow Unknow

- 解决方案

OSVDB is not aware of a solution for this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Sun Cobalt RaQ Service.CGI Cross Scripting Vulnerability
Input Validation Error 4211
Yes No
2002-02-28 12:00:00 2009-07-11 10:56:00
This vulnerability discovery credited to Alex Hernandez <al3xhernandez@ureach.com>.

- 受影响的程序版本

Cobalt RaQ 4.0
Cobalt RaQ 3.0
Cobalt RaQ 2.0

- 漏洞讨论

RaQ is a server appliance originally developed by Cobalt. It is now distributed and maintained by Sun Microsystems.

Due to insufficient sanitization of input, it is possible to execute script code on Cobalt RaQ systems. The problem occurs in the filtering of maliciously HTML tags when passed to the service.cgi and alert.cgi scripts. It has been reported that by passing malicious script code through the search.cgi or alert.cgi scripts, it may be possible to place malicious content on pages hosted by the RaQ server.

- 漏洞利用

Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com &lt;mailto:vuldb@securityfocus.com&gt;.

- 解决方案

Currently the SecurityFocus staff are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站