CVE-2002-0456
CVSS5.0
发布时间 :2002-08-12 00:00:00
修订时间 :2016-10-17 22:20:20
NMCOS    

[原文]Eudora 5.1 and earlier versions stores attachments in a directory with a fixed name, which could make it easier for attackers to exploit vulnerabilities in other software that rely on installing and reading files from directories with known pathnames.


[CNNVD]Qualcomm Eudora附件路径已知漏洞(CNNVD-200208-137)

        
        Eudora是一款基于Microsoft windows系统下的邮件客户端程序,如果'use Microsoft Viewer'选项打开的情况下,Eudora使用IE浏览器来帮助查看HTML邮件形式的信息。
        在部分版本的Eudora中存在附件可猜测漏洞,当接收到包含文件附件的邮件时,文件会自动存储在本地系统预先定位的路径上,攻击者可以利用这个信息来进一步对系统进行攻击。
        Eudora把自动接收到的邮件放在Eudora安装目录中,攻击者可以猜测附件路径并利用IE等自动执行的漏洞来执行包含有恶意代码或者后门的附件。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0456
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0456
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200208-137
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=101622857703677&w=2
(UNKNOWN)  BUGTRAQ  20020315 RE: MSIE vulnerability exploitable with IncrediMail
http://www.iss.net/security_center/static/8487.php
(VENDOR_ADVISORY)  XF  eudora-insecure-attachment-directory(8487)
http://www.securityfocus.com/archive/1/262704
(VENDOR_ADVISORY)  BUGTRAQ  20020316 MSIE vulnerability exploitable with Eudora (was: IncrediMail)
http://www.securityfocus.com/bid/4306
(VENDOR_ADVISORY)  BID  4306

- 漏洞信息

Qualcomm Eudora附件路径已知漏洞
中危 设计错误
2002-08-12 00:00:00 2005-10-20 00:00:00
远程  
        
        Eudora是一款基于Microsoft windows系统下的邮件客户端程序,如果'use Microsoft Viewer'选项打开的情况下,Eudora使用IE浏览器来帮助查看HTML邮件形式的信息。
        在部分版本的Eudora中存在附件可猜测漏洞,当接收到包含文件附件的邮件时,文件会自动存储在本地系统预先定位的路径上,攻击者可以利用这个信息来进一步对系统进行攻击。
        Eudora把自动接收到的邮件放在Eudora安装目录中,攻击者可以猜测附件路径并利用IE等自动执行的漏洞来执行包含有恶意代码或者后门的附件。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 暂时没有好的临时解决方法。
        厂商补丁:
        Qualcomm
        --------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.eudora.com/

- 漏洞信息

13518
Eudora Predictable Attachment Directory Name Weakness

- 漏洞描述

Unknown or Incomplete

- 时间线

2002-03-16 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Qualcomm Eudora Known File Attachment Location Vulnerability
Design Error 4306
Yes No
2002-03-16 12:00:00 2009-07-11 11:56:00
Reported by Magnus Bodin <magnus@bodin.org>.

- 受影响的程序版本

Qualcomm Eudora 5.2
Qualcomm Eudora 5.1.1
Qualcomm Eudora 5.1
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0

- 漏洞讨论

Eudora is an email client for Microsoft Windows based systems. Eudora uses Internet Explorer to assist in the viewing of html messages if the 'Use Microsoft Viewer' option is enabled.

A weakness has been discovered in some versions of Eudora. When email is received including a file attachment, the file is stored in a predictable location on the local system. An attacker may be able to use this knowledge to launch further attacks against the vulnerable system.

- 漏洞利用

No exploit code is required.

- 解决方案

Currently the SecurityFocus staff are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站