CVE-2004-0671
CVSS5.0
发布时间 :2004-08-06 00:00:00
修订时间 :2016-10-17 22:47:33
NMCOES    

[原文]Brightmail Spamfilter 6.0 and earlier beta releases allows remote attackers to read mail from other users by modifying the id parameter in a viewMsgDetails.do request.


[CNNVD]Symantec Brightmail Anti-spam未授权信息泄露漏洞(CNNVD-200408-062)

        
        Symantec Brightmail是一款反垃圾有系统。
        Symantec Brightmail Anti-Spam的控制中心存在安全问题,远程攻击者可以利用这个漏洞读取用户过滤的EMAIL内容,造成信息泄露。
        在控制中心中,提交特殊的请求,可未授权查看被过滤的邮件信息。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0671
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0671
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200408-062
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=108880205115802&w=2
(UNKNOWN)  BUGTRAQ  20040701 Brightmail leaks other user's spam
http://marc.info/?l=bugtraq&m=108981452101353&w=2
(UNKNOWN)  BUGTRAQ  20040714 Ref: http://www.securityfocus.com/archive/1/367866, Jul 1 2004 1:19PM, Subj: Brightmail
http://www.securityfocus.com/bid/10657
(VENDOR_ADVISORY)  BID  10657
http://xforce.iss.net/xforce/xfdb/16609
(VENDOR_ADVISORY)  XF  symantec-brightmail-view-mail(16609)

- 漏洞信息

Symantec Brightmail Anti-spam未授权信息泄露漏洞
中危 访问验证错误
2004-08-06 00:00:00 2005-10-20 00:00:00
远程  
        
        Symantec Brightmail是一款反垃圾有系统。
        Symantec Brightmail Anti-Spam的控制中心存在安全问题,远程攻击者可以利用这个漏洞读取用户过滤的EMAIL内容,造成信息泄露。
        在控制中心中,提交特殊的请求,可未授权查看被过滤的邮件信息。
        

- 公告与补丁

        厂商补丁:
        Symantec
        --------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.brightmail.com/

- 漏洞信息 (24251)

Symantec Brightmail Anti-spam 6.0 Unauthorized Message Disclosure Vulnerability (EDBID:24251)
cgi webapps
2004-07-05 Verified
0 Thomas Springer
N/A [点击下载]
source: http://www.securityfocus.com/bid/10657/info

Symantec Brightmail anti-spam is reported prone to an unauthorized message disclosure vulnerability.

This issue exists in the Brightmail anti-spam control center. Due to improper access validation a remote attacker can read users' filtered email.

Symantec Brightmail anti-spam 6.0 is reported prone to this issue, however, other versions may be affected as well.

/brightmail/quarantine/viewMsgDetails.do?id=QMsgView-[some-value]		

- 漏洞信息

7418
Symantec Brightmail viewMsgDetails.do Request Arbitrary Mail Disclosure
Remote / Network Access Input Manipulation
Loss of Confidentiality
Exploit Public

- 漏洞描述

Symantec Brightmail Spamfilter contains a flaw that may lead to unauthorized information disclosure. The issue is triggered when an attacker alters the id parameter, which will disclose potential mail information resulting in a loss of confidentiality.

- 时间线

2004-07-05 2004-07-01
2004-07-05 Unknow

- 解决方案

Upgrade to version 6.0.0.121 or higher, as it has been reported to fix this vulnerability. Additionally, Symantec has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

Symantec Brightmail Anti-spam Unauthorized Message Disclosure Vulnerability
Access Validation Error 10657
Yes No
2004-07-05 12:00:00 2009-07-12 06:16:00
Discovery is credited to Thomas Springer.

- 受影响的程序版本

Symantec Brightmail Anti-Spam 6.0

- 漏洞讨论

Symantec Brightmail anti-spam is reported prone to an unauthorized message disclosure vulnerability.

This issue exists in the Brightmail anti-spam control center. Due to improper access validation a remote attacker can read users' filtered email.

Symantec Brightmail anti-spam 6.0 is reported prone to this issue, however, other versions may be affected as well.

- 漏洞利用

No exploit is required.

The following proof of concept is available:
/brightmail/quarantine/viewMsgDetails.do?id=QMsgView-[some-value]

- 解决方案

Symantec has acknowledged the presence of this issue in Brightmail Anti-Spam 6.0. A fix is available for authorized customers through the support download site. To obtain the fix, please see the support download page in Web references below.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站