CVE-2003-0491
CVSS7.5
发布时间 :2003-08-07 00:00:00
修订时间 :2016-10-17 22:34:34
NMCO    

[原文]The Tutorials 2.0 module in XOOPS and E-XOOPS allows remote attackers to execute arbitrary code by uploading a PHP file without a MIME image type, then directly accessing the uploaded file.


[CNNVD]XOOPS and E-XOOPS Tutorials执行任意代码然后直接访问上传文件漏洞(CNNVD-200308-032)

        XOOPS和E-XOOPS的Tutorials 2.0模块存在漏洞。远程攻击者通过上传无MIME图像格式的PHP文件执行任意代码,然后直接访问上传的文件。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0491
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0491
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200308-032
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=vuln-dev&m=105577873506147&w=2
(UNKNOWN)  BUGTRAQ  20030616 Directory traversal vulnerability on Xoops/E-xoops CMS module "tutorials"

- 漏洞信息

XOOPS and E-XOOPS Tutorials执行任意代码然后直接访问上传文件漏洞
高危 未知
2003-08-07 00:00:00 2005-10-20 00:00:00
远程  
        XOOPS和E-XOOPS的Tutorials 2.0模块存在漏洞。远程攻击者通过上传无MIME图像格式的PHP文件执行任意代码,然后直接访问上传的文件。

- 公告与补丁

        

- 漏洞信息

2152
XOOPS Tutorials Module Arbitrary Command Execution
Remote / Network Access Misconfiguration
Loss of Integrity

- 漏洞描述

Tutorials contains a flaw that allows a remote attacker to upload and execute arbitrary files. The issue is due to a flaw in the PHP embedded uploader routine which does not check the MIME type for file uploads. An attacker may be able to upload an arbitrary file of any type (not just image) and then request it to be executed via a standard HTTP request.

- 时间线

2003-06-16 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 2.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站