CVE-2002-0874
CVSS5.0
发布时间 :2002-09-05 00:00:00
修订时间 :2008-09-10 15:13:05
NMCOE    

[原文]Vulnerability in Interchange 4.8.6, 4.8.3, and other versions, when running in INET mode, allows remote attackers to read arbitrary files.


[CNNVD]RedHat Interchange远程泄漏任意文件漏洞(CNNVD-200209-012)

        
        Interchange是一个电子商务和应用服务器系统,它使用户可以非常方便的构建一个基于数据库的Web服务器以及在线应用。
        Interchange 4.8.5以及更低版本中存在一个安全漏洞,当它运行在"INET mode"方式时,允许攻击者读取任意Interchange进程有权读取的文件,这可能泄漏给攻击者一些敏感信息,攻击者可能利用这些信息发动进一步攻击。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:redhat:interchange:4.8.1Red Hat Interchange 4.8.1
cpe:/a:redhat:interchange:4.8.2Red Hat Interchange 4.8.2
cpe:/a:redhat:interchange:4.8.5Red Hat Interchange 4.8.5
cpe:/a:redhat:interchange:4.8.3Red Hat Interchange 4.8.3
cpe:/a:redhat:interchange:4.8.4Red Hat Interchange 4.8.4

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0874
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-0874
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200209-012
(官方数据源) CNNVD

- 其它链接及资源

http://www.debian.org/security/2002/dsa-150
(VENDOR_ADVISORY)  DEBIAN  DSA-150

- 漏洞信息

RedHat Interchange远程泄漏任意文件漏洞
中危 未知
2002-09-05 00:00:00 2005-10-20 00:00:00
远程  
        
        Interchange是一个电子商务和应用服务器系统,它使用户可以非常方便的构建一个基于数据库的Web服务器以及在线应用。
        Interchange 4.8.5以及更低版本中存在一个安全漏洞,当它运行在"INET mode"方式时,允许攻击者读取任意Interchange进程有权读取的文件,这可能泄漏给攻击者一些敏感信息,攻击者可能利用这些信息发动进一步攻击。
        

- 公告与补丁

        厂商补丁:
        Debian
        ------
        Debian已经为此发布了一个安全公告(DSA-150-1)以及相应补丁:
        DSA-150-1:New interchange packages fix illegal file exposition
        链接:
        http://www.debian.org/security/2002/dsa-150

        补丁下载:
        Source archives:
        
        http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306-1.woody.1.dsc

        Size/MD5 checksum: 883 ffa49ff2144a7bd4320eb9c2198d24b3
        
        http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306-1.woody.1.diff.gz

        Size/MD5 checksum: 528 60c7cb2c1798ae2f61365e130d1772d3
        
        http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306.orig.tar.gz

        Size/MD5 checksum: 1858749 660c7e65732a052a81d2ae6e4c6ed2b5
        Architecture independent components:
        
        http://security.debian.org/pool/updates/main/i/interchange/interchange-cat-foundation_4.8.3.20020306-1.woody.1_all.deb

        Size/MD5 checksum: 635062 6ebceb949aad1dc23e364dd297125c8f
        
        http://security.debian.org/pool/updates/main/i/interchange/interchange-ui_4.8.3.20020306-1.woody.1_all.deb

        Size/MD5 checksum: 432068 3f9574521ced0bc39c40793c74841947
        Alpha architecture:
        
        http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306-1.woody.1_alpha.deb

        Size/MD5 checksum: 856324 a903c5f415978bda83ebc64e533d6513
        
        http://security.debian.org/pool/updates/main/i/interchange/libapache-mod-interchange_4.8.3.20020306-1.woody.1_alpha.deb

        Size/MD5 checksum: 13812 21dcdb083b2d93e8b72cb06e3b9b3d77
        ARM architecture:
        
        http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306-1.woody.1_arm.deb

        Size/MD5 checksum: 854980 80a5246531dc085d5ef629dd1337271c
        
        http://security.debian.org/pool/updates/main/i/interchange/libapache-mod-interchange_4.8.3.20020306-1.woody.1_arm.deb

        Size/MD5 checksum: 13198 63fe3b689099793c61b2bbb870c101e3
        Intel IA-32 architecture:
        
        http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306-1.woody.1_i386.deb

        Size/MD5 checksum: 852744 7a40058ecc9119c740826b3dbc9660d0
        
        http://security.debian.org/pool/updates/main/i/interchange/libapache-mod-interchange_4.8.3.20020306-1.woody.1_i386.deb

        Size/MD5 checksum: 13156 234c7d614aa28de64d5d33dcb49e654d
        Intel IA-64 architecture:
        
        http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306-1.woody.1_ia64.deb

        Size/MD5 checksum: 858420 6f16f350d5d162b2bbac98bb4e7dc857
        
        http://security.debian.org/pool/updates/main/i/interchange/libapache-mod-interchange_4.8.3.20020306-1.woody.1_ia64.deb

        Size/MD5 checksum: 15670 fcfacf2758ac97a9ee6390bf20b9f64b
        HP Precision architecture:
        
        http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306-1.woody.1_hppa.deb

        Size/MD5 checksum: 856104 4d7932a5d476acf49eda3ca2ecc4bf89
        
        http://security.debian.org/pool/updates/main/i/interchange/libapache-mod-interchange_4.8.3.20020306-1.woody.1_hppa.deb

        Size/MD5 checksum: 13920 a4593d918b5c9c87434544ed7d0af579
        Motorola 680x0 architecture:
        
        http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306-1.woody.1_m68k.deb

        Size/MD5 checksum: 855146 de6a211e1b615dded617c9ff9877b897
        
        http://security.debian.org/pool/updates/main/i/interchange/libapache-mod-interchange_4.8.3.20020306-1.woody.1_m68k.deb

        Size/MD5 checksum: 13168 fda641d6355b9141fc2afde7b87c95c0
        Big endian MIPS architecture:
        
        http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306-1.woody.1_mips.deb

        Size/MD5 checksum: 855866 75c9d826ef0c1352b3a035d22d0867cf
        
        http://security.debian.org/pool/updates/main/i/interchange/libapache-mod-interchange_4.8.3.20020306-1.woody.1_mips.deb

        Size/MD5 checksum: 13236 4abca0332cc562ee5a624c8eb15cfa5f
        Little endian MIPS architecture:
        
        http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306-1.woody.1_mipsel.deb

        Size/MD5 checksum: 855776 3d9df00fd5fb6bee01222e9e263edc66
        
        http://security.debian.org/pool/updates/main/i/interchange/libapache-mod-interchange_4.8.3.20020306-1.woody.1_mipsel.deb

        Size/MD5 checksum: 13238 59556c80240d01d47bfba36b20e5c34b
        PowerPC architecture:
        
        http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306-1.woody.1_powerpc.deb

        Size/MD5 checksum: 855224 2b0bb6d175fbe6194ef1b05c14069fcc
        
        http://security.debian.org/pool/updates/main/i/interchange/libapache-mod-interchange_4.8.3.20020306-1.woody.1_powerpc.deb

        Size/MD5 checksum: 13140 ff191322a2afd7b6bae94613

- 漏洞信息 (21706)

Red Hat Interchange 4.8.x Arbitrary File Read Vulnerability (EDBID:21706)
linux remote
2002-08-13 Verified
0 Anonymous
N/A [点击下载]
source: http://www.securityfocus.com/bid/5453/info

A vulnerability has been reported for Interchange 4.8.5 and earlier. Reportedly, Interchange may disclose contents of files to attackers.

The vulnerability occurs due to the placement of the 'doc' folder. Reportedly, the folder will be installed as follows: <INTERCHANGE_ROOT>/doc. This folder, by default, contains Interchange man pages. This vulnerability is only exploitable when the Interchange service runs in INET (Internet service) mode.

An attacker may exploit this vulnerability to the contents of restricted files accessible to the Interchange process.

It has been reported that this issue may be exploited through a '../' directory traversal sequence in a HTTP request to the vulnerable server.

http://www.domain.com:7786/../../../../../../../../../etc/passwd		

- 漏洞信息

7133
Interchange INET Mode Traversal Arbitrary File Access

- 漏洞描述

- 时间线

2002-08-13 Unknow
2002-08-13 Unknow

- 解决方案

Upgrade to version 4.8.6 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站