CVE-2002-1634
CVSS5.0
发布时间 :2002-12-31 00:00:00
修订时间 :2008-09-05 16:31:07
NMCOE    

[原文]Novell NetWare 5.1 installs sample applications that allow remote attackers to obtain sensitive information via (1) ndsobj.nlm, (2) allfield.jse, (3) websinfo.bas, (4) ndslogin.pl, (5) volscgi.pl, (6) lancgi.pl, (7) test.jse, or (8) env.pl.


[CNNVD]Netware下的Netscape Enterprise Web服务器信息泄露漏洞(CNNVD-200212-179)

        
        Netscape Enterprise Web Server是一款商业性质的WEB服务器。
        Netscape Enterprise Web Server包含的样例文件对用户的请求缺少正确处理,可导致远程攻击者获得系统相关的敏感信息。
        Netscape Enterprise Web Server默认安装后存在多个样例文件,攻击者可以通过请求这些文件获得WEB主目录安装路径信息和其他服务器配置信息。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:novell:netware:5.0Novell NetWare 5.0
cpe:/o:novell:netware:5.1Novell NetWare 5.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1634
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1634
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200212-179
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/159203
(PATCH)  CERT-VN  VU#159203
http://www.securityfocus.com/advisories/4158
(PATCH)  MISC  http://www.securityfocus.com/advisories/4158
http://www.securityfocus.com/advisories/4157
(PATCH)  MISC  http://www.securityfocus.com/advisories/4157
http://support.novell.com/cgi-bin/search/searchtid.cgi?/10064452.htm
(PATCH)  CONFIRM  http://support.novell.com/cgi-bin/search/searchtid.cgi?/10064452.htm
http://xforce.iss.net/xforce/xfdb/9212
(UNKNOWN)  XF  netware-sample-information-disclosure(9212)
http://www.securityfocus.com/bid/4874
(UNKNOWN)  BID  4874
http://www.osvdb.org/17468
(UNKNOWN)  OSVDB  17468
http://www.osvdb.org/17467
(UNKNOWN)  OSVDB  17467
http://www.osvdb.org/17466
(UNKNOWN)  OSVDB  17466
http://www.osvdb.org/17465
(UNKNOWN)  OSVDB  17465
http://www.osvdb.org/17464
(UNKNOWN)  OSVDB  17464
http://www.osvdb.org/17463
(UNKNOWN)  OSVDB  17463
http://www.osvdb.org/17462
(UNKNOWN)  OSVDB  17462
http://www.osvdb.org/17461
(UNKNOWN)  OSVDB  17461

- 漏洞信息

Netware下的Netscape Enterprise Web服务器信息泄露漏洞
中危 设计错误
2002-12-31 00:00:00 2005-10-20 00:00:00
远程  
        
        Netscape Enterprise Web Server是一款商业性质的WEB服务器。
        Netscape Enterprise Web Server包含的样例文件对用户的请求缺少正确处理,可导致远程攻击者获得系统相关的敏感信息。
        Netscape Enterprise Web Server默认安装后存在多个样例文件,攻击者可以通过请求这些文件获得WEB主目录安装路径信息和其他服务器配置信息。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 使用访问控制限制用户访问。
        厂商补丁:
        Netscape
        --------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.netscape.com

- 漏洞信息 (21488)

Netscape Enterprise Web Server for Netware 4/5 5.0 Information Disclosure (EDBID:21488)
novell remote
2002-05-29 Verified
0 Procheckup
N/A [点击下载]
source: http://www.securityfocus.com/bid/4874/info

It has been reported that Netscape Enterprise Web Server may disclose path and system information to a remote user.

Netscape Enterprise Web Server for Netware contain several sample files which leak system information, this information can be obtained by remote users.

An attacker is able to send a request, for an affected sample file, that will cause the host to disclose the location of the web root path. Certain sample files will also reveal detailed system specific information. 

http://webserver/lcgi/sewse.nlm?sys:/novonyx/suitespot/docs/sewse/misc/test.jse

http://webserver/lcgi/sewse.nlm?sys:/novonyx/suitespot/docs/sewse/misc/allfield.jse

http://webserver/perl/samples/env.pl

http://webserver/perl/samples/lancgi.pl

http://webserver/perl/samples/volscgi.pl

http://webserver/perl/samples/ndslogin.pl

http://webserver/netbasic/websinfo.bas

		

- 漏洞信息

17461
Novell NetWare ndsobj.nlm Sample Application Information Disclosure
Remote / Network Access Information Disclosure
Loss of Confidentiality
Exploit Public

- 漏洞描述

Novell NetWare contains a flaw that may lead to an unauthorized information disclosure.  The issue is triggered when browsing 'lcgi/ndsobj.nlm' , which will disclose access to NDS and server information resulting in a loss of confidentiality.

- 时间线

2002-05-30 Unknow
2002-05-29 Unknow

- 解决方案

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: Remove sample applications prior to placing the server into production.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站