CVE-2002-1601
CVSS5.1
发布时间 :2002-02-09 00:00:00
修订时间 :2008-09-05 16:31:02
NMCOS    

[原文]The Connectables feature in Adobe PhotoDeluxe 3.1 prepends the Adobe directory to the CLASSPATH environment variable, which allows applets to run with higher privileges and remote attackers to gain privileges via an HTML e-mail message or a web page.


[CNNVD]Adobe PhotoDeluxe Java执行漏洞(CNNVD-200202-003)

        
        Adobe PhotoDeluxe是一款图象编辑制作软件,它运行于Microsoft Windows 9x/ME/NT/2000/XP操作系统。
        Adobe PhotoDeluxe在公用目录安装了敏感的Java代码。
        Adobe PhotoDeluxe的一个特性是允许用户从Adobe的站点下载额外的设计组件,这个被称为"Connectables"的功能是通过安装在用户系统的Java代码实现的。然而Java applet安装方式不安全,可以用Internet Explorer通过恶意的网页或HTML e-mail查看。
        这个问题可以造成非授权访问用户系统的敏感信息,甚至执行任意代码。
        

- CVSS (基础分值)

CVSS分值: 5.1 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:adobe:photodeluxe:4.0Adobe PhotoDeluxe 4.0
cpe:/a:adobe:photodeluxe:3.1Adobe PhotoDeluxe 3.1
cpe:/a:adobe:photodeluxe:3.0Adobe PhotoDeluxe 3.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1601
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1601
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200202-003
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/AAMN-56LQ2J
(UNKNOWN)  CONFIRM  http://www.kb.cert.org/vuls/id/AAMN-56LQ2J
http://www.kb.cert.org/vuls/id/116875
(UNKNOWN)  CERT-VN  VU#116875
http://xforce.iss.net/xforce/xfdb/8210
(UNKNOWN)  XF  adobe-photodeluxe-execute-java(8210)
http://www.securityfocus.com/bid/4106
(VENDOR_ADVISORY)  BID  4106

- 漏洞信息

Adobe PhotoDeluxe Java执行漏洞
中危 设计错误
2002-02-09 00:00:00 2005-10-20 00:00:00
远程  
        
        Adobe PhotoDeluxe是一款图象编辑制作软件,它运行于Microsoft Windows 9x/ME/NT/2000/XP操作系统。
        Adobe PhotoDeluxe在公用目录安装了敏感的Java代码。
        Adobe PhotoDeluxe的一个特性是允许用户从Adobe的站点下载额外的设计组件,这个被称为"Connectables"的功能是通过安装在用户系统的Java代码实现的。然而Java applet安装方式不安全,可以用Internet Explorer通过恶意的网页或HTML e-mail查看。
        这个问题可以造成非授权访问用户系统的敏感信息,甚至执行任意代码。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 关闭Connectables特性,配置CLASSPATH变量拒绝Adobe PhotoDeluxe Java代码。
        厂商补丁:
        Adobe
        -----
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.adobe.com

- 漏洞信息

17281
Adobe PhotoDeluxe Connectables Feature CLASSPATH Variable Privilege Escalation

- 漏洞描述

Unknown or Incomplete

- 时间线

2002-02-09 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Adobe PhotoDeluxe Java Execution Vulnerability
Design Error 4106
Yes No
2002-02-09 12:00:00 2009-07-11 10:56:00
Dr. Hiromitsu Takagi is credited with discovering this issue.

- 受影响的程序版本

Adobe PhotoDeluxe 4.0
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home
Adobe PhotoDeluxe 3.1
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home
Adobe PhotoDeluxe 3.0
- Microsoft Windows 2000 Professional SP2
- Microsoft Windows 2000 Professional SP1
- Microsoft Windows 2000 Professional
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows ME
- Microsoft Windows NT Workstation 4.0 SP6a
- Microsoft Windows NT Workstation 4.0 SP5
- Microsoft Windows NT Workstation 4.0 SP4
- Microsoft Windows NT Workstation 4.0 SP3
- Microsoft Windows NT Workstation 4.0 SP2
- Microsoft Windows NT Workstation 4.0 SP1
- Microsoft Windows NT Workstation 4.0
- Microsoft Windows XP Home

- 漏洞讨论

Adobe PhotoDeluxe is image editing/photo album software that ships with a number of imaging devices. It runs on Microsoft Windows 9x/ME/NT/2000/XP operating systems.

Adobe PhotoDeluxe installs sensitive Java code in a public location.

One of Adobe PhotoDeluxe's features is to allow users to download extra design elements from the Adobe website. The functionality is called "Connectables" and is accomplished via the installation of Java code on the user's system. However, the Java applet is installed in an insecure manner, which may be exploited by malicious webpages or HTML e-mail viewed through the Internet Explorer web browser.

This may grant unauthorized access to sensitive information on an affected user's system. This problem, in some cases, may also result in the execution of arbitrary code.

Versions of Adobe PhotoDeluxe also exist for MacOS, though it is not known whether they are affected by this issue.

- 漏洞利用

Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 解决方案

Currently the SecurityFocus staff are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站