CVE-2002-1042
CVSS5.0
发布时间 :2002-10-04 00:00:00
修订时间 :2008-09-05 16:29:37
NMCOES    

[原文]Directory traversal vulnerability in search engine for iPlanet web server 6.0 SP2 and 4.1 SP9, and Netscape Enterprise Server 3.6, when running on Windows platforms, allows remote attackers to read arbitrary files via ..\ (dot-dot backslash) sequences in the NS-query-pat parameter.


[CNNVD]iPlanet Web服务程序搜索组件远程文件泄露漏洞(CNNVD-200210-030)

        
        Sun iPlanet Web是一款Sun Microsystems公司开发的商业WEB服务器程序。
        Sun iPlanet Web服务的搜索功能在对用户提交的输入缺少过滤,远程攻击者可以利用这个漏洞远程以WEB服务器进程的权限查看系统上的任意文件内容。
        Sun iPlanet Web服务包含搜索引擎,使用HTML模式文件从用户中获得搜索参数,通过使用NS-query-pat命令,用户可以指定自己想要查看的系统文件来代替默认的模式文件,不过不幸的是,搜索引擎对要查询的模式文件缺少正确的检查,攻击者可以提交包含多个'..\'字符的请求,绕过访问控制,以WEB服务器进程的权限查看系统中的任意文件内容。
        Netscape Enterprise Server 3.6也同样存在此问题。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:sun:iplanet_web_server:4.1:sp1Sun iPlanet Web Server 4.1 SP1
cpe:/a:sun:iplanet_web_server:4.1:sp1:enterpriseSun iPlanet Web Server 4.1 SP1 Enterprise
cpe:/a:sun:one_application_server:6.0:sp1
cpe:/a:sun:iplanet_web_server:4.1:sp8Sun iPlanet Web Server 4.1 SP8
cpe:/a:sun:iplanet_web_server:4.1:sp2Sun iPlanet Web Server 4.1 SP2
cpe:/a:sun:iplanet_web_server:4.1:sp2:enterpriseSun iPlanet Web Server 4.1 SP2 Enterprise
cpe:/a:sun:iplanet_web_server:4.1:sp10Sun iPlanet Web Server 4.1 SP10
cpe:/a:sun:iplanet_web_server:4.1:sp7:enterpriseSun iPlanet Web Server 4.1 SP7 Enterprise
cpe:/a:sun:iplanet_web_server:4.1:sp9:enterpriseSun iPlanet Web Server 4.1 SP9 Enterprise
cpe:/a:sun:iplanet_web_server:4.1:sp9Sun iPlanet Web Server 4.1 SP9
cpe:/a:sun:iplanet_web_server:4.1:sp5:enterpriseSun iPlanet Web Server 4.1 SP5 Enterprise
cpe:/a:sun:iplanet_web_server:4.1:sp5Sun iPlanet Web Server 4.1 SP5
cpe:/a:sun:iplanet_web_server:4.1:sp3Sun iPlanet Web Server 4.1 SP3
cpe:/a:sun:iplanet_web_server:4.1:sp3:enterpriseSun iPlanet Web Server 4.1 SP3 Enterprise
cpe:/a:sun:one_application_server:6.0Sun ONE Application Server 6.0
cpe:/a:sun:iplanet_web_server:4.1:sp8:enterpriseSun iPlanet Web Server 4.1 SP8 Enterprise
cpe:/a:sun:iplanet_web_server:4.1:sp6Sun iPlanet Web Server 4.1 SP6
cpe:/a:netscape:enterprise_server:3.6Netscape Netscape Enterprise Server 3.6
cpe:/a:sun:iplanet_web_server:4.1Sun iPlanet Web Server 4.1
cpe:/a:sun:iplanet_web_server:4.1:sp7Sun iPlanet Web Server 4.1 SP7
cpe:/a:sun:iplanet_web_server:4.1:sp10:enterpriseSun iPlanet Web Server 4.1 SP10 Enterprise
cpe:/a:sun:iplanet_web_server:4.1:sp4:enterpriseSun iPlanet Web Server 4.1 SP4 Enterprise
cpe:/a:sun:one_application_server:6.0:sp2
cpe:/a:sun:iplanet_web_server:4.1:sp6:enterpriseSun iPlanet Web Server 4.1 SP6 Enterprise
cpe:/a:sun:iplanet_web_server:4.1:sp4Sun iPlanet Web Server 4.1 SP4
cpe:/a:sun:one_web_server:6.0:sp3

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1042
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1042
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200210-030
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/5191
(VENDOR_ADVISORY)  BID  5191
http://www.iss.net/security_center/static/9517.php
(VENDOR_ADVISORY)  XF  iplanet-search-view-files(9517)
http://archives.neohapsis.com/archives/bugtraq/2002-07/0085.html
(UNKNOWN)  BUGTRAQ  20020709 iPlanet Remote File Viewing

- 漏洞信息

iPlanet Web服务程序搜索组件远程文件泄露漏洞
中危 输入验证
2002-10-04 00:00:00 2006-09-20 00:00:00
远程  
        
        Sun iPlanet Web是一款Sun Microsystems公司开发的商业WEB服务器程序。
        Sun iPlanet Web服务的搜索功能在对用户提交的输入缺少过滤,远程攻击者可以利用这个漏洞远程以WEB服务器进程的权限查看系统上的任意文件内容。
        Sun iPlanet Web服务包含搜索引擎,使用HTML模式文件从用户中获得搜索参数,通过使用NS-query-pat命令,用户可以指定自己想要查看的系统文件来代替默认的模式文件,不过不幸的是,搜索引擎对要查询的模式文件缺少正确的检查,攻击者可以提交包含多个'..\'字符的请求,绕过访问控制,以WEB服务器进程的权限查看系统中的任意文件内容。
        Netscape Enterprise Server 3.6也同样存在此问题。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 关闭搜索功能。
        * 建议增加下面的Snort规则帮助发现此类攻击:
        alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"WEB-MISC iPlanet Search Engine File Viewing";
        flags:A+; uricontent:"NS-query-pat"; classtype:web-application-attack; sid:1000999; rev:1;)
        厂商补丁:
        iPlanet E-Commerce Solutions
        ----------------------------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.iplanet.com/

- 漏洞信息 (21603)

iPlanet Web Server 4.1 Search Component File Disclosure Vulnerability (EDBID:21603)
multiple remote
2002-07-09 Verified
0 Qualys Corporation
N/A [点击下载]
source: http://www.securityfocus.com/bid/5191/info

The iPlanet Web Server search engine is prone to a file disclosure vulnerability. It is possible for remote attackers to make requests to the search engine which will cause arbitrary readable files on the host running the vulnerable software to be disclosed to the attacker.

This issue was reported for iPlanet Web Server on Microsoft Windows operating systems. Since the server typically runs in the SYSTEM context on these operating systems, it may be possible for an attacker to disclose the contents of arbitrary files. It has not been confirmed whether this vulnerability exists on other platforms that the software is compatible with. The search engine functionality does not appear to be available for versions of the software on Linux platforms.

GET /search?NS-query-pat=..\..\..\..\..\boot.ini 		

- 漏洞信息

846
iPlanet/One Web Server search Arbitrary File Access
Remote / Network Access Input Manipulation
Loss of Confidentiality, Loss of Integrity
Exploit Public

- 漏洞描述

iPlanet/One Web Server contains a flaw that allows a remote attacker to access arbitrary files outside of the web path. The issue is due to the "search" script not properly sanitizing user input, specifically traversal style attacks (../../) supplied via the "NS-query-pat" variable.

- 时间线

2002-07-09 Unknow
2002-07-09 Unknow

- 解决方案

Upgrade to iPlanet Web Server 4.1 Service Pack 11 or Sun ONE Web Server 6.0 Service Pack 4, as it has been reported to fix this vulnerability. Administrators may also disable or remove the search feature.

- 相关参考

- 漏洞作者

- 漏洞信息

iPlanet Web Server Search Component File Disclosure Vulnerability
Input Validation Error 5191
Yes No
2002-07-09 12:00:00 2009-07-11 02:56:00
This issue was reportedly discovered by the Qualys Corporation. <turambar386@routergod.com> released an advisory which further describes the issue.

- 受影响的程序版本

Sun ONE Web Server 6.0 SP3
Sun ONE Web Server 6.0 SP2
Sun ONE Web Server 6.0 SP1
Sun ONE Web Server 6.0
Sun ONE Web Server 4.1 SP10
Sun iPlanet Web Server 6.0 SP2
Sun iPlanet Web Server 6.0 SP1
Sun iPlanet Web Server 6.0
- Compaq Tru64 4.0 d
- HP HP-UX 11.0
- HP HP-UX 11i v1
- IBM AIX 4.3.3
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows NT 4.0 SP6a
- Red Hat Linux 6.2
- Sun Solaris 8_sparc
- Sun Solaris 7.0
- Sun Solaris 2.6
Sun iPlanet Web Server 4.1 SP9
Sun iPlanet Web Server 4.1 SP8
Sun iPlanet Web Server 4.1 SP7
Sun iPlanet Web Server 4.1 SP6
Sun iPlanet Web Server 4.1 SP5
Sun iPlanet Web Server 4.1 SP4
Sun iPlanet Web Server 4.1 SP3
Sun iPlanet Web Server 4.1 SP2
Sun iPlanet Web Server 4.1 SP10
Sun iPlanet Web Server 4.1 SP1
Sun iPlanet Web Server 4.1
- HP HP-UX 11.0
- IBM AIX 4.3.3
- Linux kernel 2.2.12
- Microsoft Windows NT 4.0
Netscape Enterprise Server 3.6
- Compaq Tru64 4.0 d
- Digital UNIX 4.0 B
- HP HP-UX 11.0
- IBM AIX 4.2
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0
- SGI IRIX 6.5
- SGI IRIX 6.2
- Sun Solaris 2.5.1
- Sun Solaris 8_sparc
- Sun Solaris 7.0
- Sun Solaris 2.6
iPlanet E-Commerce Solutions iPlanet Web Server Enterprise Edition 6.0 SP2
iPlanet E-Commerce Solutions iPlanet Web Server Enterprise Edition 6.0 SP1
iPlanet E-Commerce Solutions iPlanet Web Server Enterprise Edition 6.0
iPlanet E-Commerce Solutions iPlanet Web Server Enterprise Edition 4.1 SP9
iPlanet E-Commerce Solutions iPlanet Web Server Enterprise Edition 4.1 SP8
iPlanet E-Commerce Solutions iPlanet Web Server Enterprise Edition 4.1 SP7
- Digital (Compaq) TRU64/DIGITAL UNIX 4.0 d
- HP HP-UX 11.0
- IBM AIX 4.3.3
- Linux kernel 2.2.12
- Microsoft Windows NT 4.0
- Sun Solaris 8_sparc
- Sun Solaris 2.6
iPlanet E-Commerce Solutions iPlanet Web Server Enterprise Edition 4.1 SP6
- Digital (Compaq) TRU64/DIGITAL UNIX 4.0 d
- HP HP-UX 11.0
- IBM AIX 4.3.3
- Linux kernel 2.2.12
- Microsoft Windows NT 4.0
- Sun Solaris 8_sparc
- Sun Solaris 2.6
iPlanet E-Commerce Solutions iPlanet Web Server Enterprise Edition 4.1 SP5
- Digital (Compaq) TRU64/DIGITAL UNIX 4.0 d
- HP HP-UX 11.0
- IBM AIX 4.3.3
- Linux kernel 2.2.12
- Microsoft Windows NT 4.0
- Sun Solaris 8_sparc
- Sun Solaris 2.6
iPlanet E-Commerce Solutions iPlanet Web Server Enterprise Edition 4.1 SP4
- Digital (Compaq) TRU64/DIGITAL UNIX 4.0 d
- HP HP-UX 11.0
- IBM AIX 4.3.3
- Linux kernel 2.2.12
- Microsoft Windows NT 4.0
- Sun Solaris 8_sparc
- Sun Solaris 2.6
iPlanet E-Commerce Solutions iPlanet Web Server Enterprise Edition 4.1 SP3
- Digital (Compaq) TRU64/DIGITAL UNIX 4.0 d
- HP HP-UX 11.0
- IBM AIX 4.3.3
- Linux kernel 2.2.12
- Microsoft Windows NT 4.0
- Sun Solaris 8_sparc
- Sun Solaris 2.6
iPlanet E-Commerce Solutions iPlanet Web Server Enterprise Edition 4.1 SP2
iPlanet E-Commerce Solutions iPlanet Web Server Enterprise Edition 4.1 SP10
iPlanet E-Commerce Solutions iPlanet Web Server Enterprise Edition 4.1 SP1
iPlanet E-Commerce Solutions iPlanet Web Server Enterprise Edition 4.1
- Compaq Tru64 5.1
- Compaq Tru64 5.0 a
- HP HP-UX 11.0
- HP HP-UX 11i v1
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Red Hat Linux 6.2
- Sun Solaris 8_sparc
- Sun Solaris 7.0
- Sun Solaris 2.6
Sun ONE Web Server 6.0 SP5
Sun ONE Web Server 6.0 SP4
Sun ONE Web Server 4.1 SP11
Sun iPlanet Web Server 4.1 SP11
iPlanet E-Commerce Solutions iPlanet Web Server Enterprise Edition 4.1 SP11

- 不受影响的程序版本

Sun ONE Web Server 6.0 SP5
Sun ONE Web Server 6.0 SP4
Sun ONE Web Server 4.1 SP11
Sun iPlanet Web Server 4.1 SP11
iPlanet E-Commerce Solutions iPlanet Web Server Enterprise Edition 4.1 SP11

- 漏洞讨论

The iPlanet Web Server search engine is prone to a file disclosure vulnerability. It is possible for remote attackers to make requests to the search engine which will cause arbitrary readable files on the host running the vulnerable software to be disclosed to the attacker.

This issue was reported for iPlanet Web Server on Microsoft Windows operating systems. Since the server typically runs in the SYSTEM context on these operating systems, it may be possible for an attacker to disclose the contents of arbitrary files. It has not been confirmed whether this vulnerability exists on other platforms that the software is compatible with. The search engine functionality does not appear to be available for versions of the software on Linux platforms.

Netscape Enterprise Server 3.6 is also affected by this issue.

- 漏洞利用

The following example was provided to exploit this vulnerability using telnet to connect to the server:

GET /search?NS-query-pat=..\..\..\..\..\boot.ini

- 解决方案

Sun has announced that this issue is resolved in Sun ONE Web Server 4.1 SP11 and 6.0 SP4:

http://wwws.sun.com/software/download/allproducts.html


iPlanet E-Commerce Solutions iPlanet Web Server Enterprise Edition 4.1 SP3

iPlanet E-Commerce Solutions iPlanet Web Server Enterprise Edition 4.1 SP10

iPlanet E-Commerce Solutions iPlanet Web Server Enterprise Edition 4.1 SP8

iPlanet E-Commerce Solutions iPlanet Web Server Enterprise Edition 4.1

iPlanet E-Commerce Solutions iPlanet Web Server Enterprise Edition 4.1 SP6

Sun iPlanet Web Server 4.1 SP4

Sun iPlanet Web Server 4.1 SP5

iPlanet E-Commerce Solutions iPlanet Web Server Enterprise Edition 4.1 SP2

Sun iPlanet Web Server 4.1 SP2

iPlanet E-Commerce Solutions iPlanet Web Server Enterprise Edition 4.1 SP7

Sun iPlanet Web Server 4.1 SP1

Sun iPlanet Web Server 4.1 SP3

iPlanet E-Commerce Solutions iPlanet Web Server Enterprise Edition 4.1 SP5

Sun iPlanet Web Server 4.1 SP10

iPlanet E-Commerce Solutions iPlanet Web Server Enterprise Edition 4.1 SP4

Sun iPlanet Web Server 4.1 SP6

Sun iPlanet Web Server 4.1 SP9

iPlanet E-Commerce Solutions iPlanet Web Server Enterprise Edition 4.1 SP1

iPlanet E-Commerce Solutions iPlanet Web Server Enterprise Edition 4.1 SP9

Sun iPlanet Web Server 4.1 SP8

Sun iPlanet Web Server 4.1

Sun iPlanet Web Server 4.1 SP7

Sun ONE Web Server 6.0

Sun ONE Web Server 6.0 SP2

Sun ONE Web Server 6.0 SP3

Sun ONE Web Server 6.0 SP1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站