发布时间 :2004-12-06 00:00:00
修订时间 :2016-10-17 22:46:45

[原文]The Mobile Code filter in ZoneAlarm Pro 5.0.590.015 does not filter mobile code within an SSL encrypted session, which could allow remote attackers to bypass the mobile code filtering. NOTE: it has been disputed by the vendor that this behavior is required by the SSL specification.

[CNNVD]ZoneAlarm Pro移动代码文件绕过移动代码过滤漏洞(CNNVD-200412-023)

        ZoneAlarm Pro 5.0.590.015版本的Mobile Code文件不过滤具有SSL加密会话的移动代码,远程攻击者利用该漏洞绕过移动代码过滤。

- CVSS (基础分值)

CVSS分值: 5.1 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(VENDOR_ADVISORY)  BUGTRAQ  20040625 Zone Labs response to "ZoneAlarm Pro 'Mobile Code' Bypass Vulnerability"
(UNKNOWN)  BUGTRAQ  20040621 ZoneAlarm Pro 'Mobile Code' Bypass Vulnerability
(UNKNOWN)  BID  10584
(VENDOR_ADVISORY)  XF  zonealarm-mobile-code-bypass(16471)

- 漏洞信息

ZoneAlarm Pro移动代码文件绕过移动代码过滤漏洞
中危 未知
2004-12-06 00:00:00 2005-10-20 00:00:00
        ZoneAlarm Pro 5.0.590.015版本的Mobile Code文件不过滤具有SSL加密会话的移动代码,远程攻击者利用该漏洞绕过移动代码过滤。

- 公告与补丁


- 漏洞信息

ZoneAlarm Pro Mobile Code Filter Protection Bypass
Remote / Network Access Cryptographic
Loss of Confidentiality
Exploit Unknown

- 漏洞描述

According to the advisory, ZoneAlarm Pro contains a flaw that may allow a remote attacker to bypass the 'Mobile Code' filter. The 'Mobile Code' blocking feature filters malicious Web objects and any 'application/*' MIME type, but does not filter SSL content. A remote attacker could create a malicious SSL Web page and bypass the Mobile Code filter.

- 时间线

2004-06-25 2004-06-21
Unknow Unknow

- 解决方案

According to the vendor, "ZoneAlarm Pro, Security Suite and Integrity products which employ Mobile Code Protection/ID Lock features do not inspect encrypted traffic. If mobile code is downloaded via a Secure Sockets Layer (SSL) session, it will not be inspected by these products. This is by design and mandated by the SSL Protocol specification."

- 相关参考

- 漏洞作者