CVE-2005-0142
CVSS2.1
发布时间 :2005-05-02 00:00:00
修订时间 :2011-03-07 21:19:35
NMCOS    

[原文]Firefox 0.9, Thunderbird 0.6 and other versions before 0.9, and Mozilla 1.7 before 1.7.5 save temporary files with world-readable permissions, which allows local users to read certain web content or attachments that belong to other users, e.g. content that is managed by helper applications such as PDF.


[CNNVD]Mozilla临时文件不安全权限信息泄露漏洞(CNNVD-200505-059)

        Firefox 0.9,Thunderbird 0.6和0.9之前的版本,Mozilla 1.7.5之前的1.7版本,使用全域可读权限来保存临时文件,从而本地用户能够读取某些Web内容或属于其他用户的附件,例如:使用如PDF等helper应用程序管理的内容。

- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:mozilla:thunderbird:0.8Mozilla Thunderbird 0.8
cpe:/a:mozilla:mozilla:1.7:rc3Mozilla Mozilla 1.7 rc3
cpe:/a:mozilla:mozilla:1.7.1Mozilla Mozilla 1.7.1
cpe:/a:mozilla:firefox:0.9Mozilla Firefox 0.9
cpe:/a:mozilla:mozilla:1.7.2Mozilla Mozilla 1.7.2
cpe:/a:mozilla:mozilla:1.7Mozilla Mozilla 1.7
cpe:/a:mozilla:thunderbird:0.7Mozilla Thunderbird 0.7
cpe:/a:mozilla:thunderbird:0.6Mozilla Thunderbird 0.6
cpe:/a:mozilla:mozilla:1.7.3Mozilla Mozilla 1.7.3

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:9543Mozilla before 1.7.6, and Firefox before 1.0.1, allows remote attackers to spoof arbitrary web sites by injecting content from one window in...
oval:org.mitre.oval:def:100056Mozilla Creates World-readable temp Files
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0142
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0142
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-059
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/17832
(VENDOR_ADVISORY)  XF  mozilla-world-readable(17832)
http://www.redhat.com/support/errata/RHSA-2005-335.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2005:335
https://bugzilla.mozilla.org/show_bug.cgi?id=251297
(UNKNOWN)  CONFIRM  https://bugzilla.mozilla.org/show_bug.cgi?id=251297
http://www.novell.com/linux/security/advisories/2006_04_25.html
(UNKNOWN)  SUSE  SUSE-SA:2006:004
http://www.mozilla.org/security/announce/mfsa2005-02.html
(VENDOR_ADVISORY)  CONFIRM  http://www.mozilla.org/security/announce/mfsa2005-02.html
http://www.redhat.com/support/errata/RHSA-2005-384.html
(UNKNOWN)  REDHAT  RHSA-2005:384
http://www.novell.com/linux/security/advisories/2006_04_25.html
(UNKNOWN)  SUSE  SUSE-SA:2006:022
http://secunia.com/advisories/19823
(UNKNOWN)  SECUNIA  19823

- 漏洞信息

Mozilla临时文件不安全权限信息泄露漏洞
低危 设计错误
2005-05-02 00:00:00 2005-10-20 00:00:00
本地  
        Firefox 0.9,Thunderbird 0.6和0.9之前的版本,Mozilla 1.7.5之前的1.7版本,使用全域可读权限来保存临时文件,从而本地用户能够读取某些Web内容或属于其他用户的附件,例如:使用如PDF等helper应用程序管理的内容。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/

- 漏洞信息

11118
Mozilla Multiple Products Downloaded File Content Disclosure

- 漏洞描述

Unknown or Incomplete

- 时间线

2004-10-24 Unknow
2004-10-24 Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Mozilla Temporary File Insecure Permissions Information Disclosure Vulnerability
Design Error 11522
No Yes
2004-10-25 12:00:00 2007-01-25 04:21:00
This vulnerability was disclosed by Martin <broadcast@ptraced.net>.

- 受影响的程序版本

SGI ProPack 3.0
S.u.S.E. Linux Professional 10.0 OSS
S.u.S.E. Linux Professional 10.0
S.u.S.E. Linux Professional 9.3 x86_64
S.u.S.E. Linux Professional 9.3
S.u.S.E. Linux Professional 9.2 x86_64
S.u.S.E. Linux Professional 9.2
S.u.S.E. Linux Professional 9.1 x86_64
S.u.S.E. Linux Professional 9.1
S.u.S.E. Linux Personal 10.0 OSS
S.u.S.E. Linux Personal 9.3 x86_64
S.u.S.E. Linux Personal 9.3
S.u.S.E. Linux Personal 9.2 x86_64
S.u.S.E. Linux Personal 9.2
S.u.S.E. Linux Personal 9.1 x86_64
S.u.S.E. Linux Personal 9.1
RedHat Linux 9.0 i386
RedHat Linux 7.3 i686
RedHat Linux 7.3 i386
RedHat Linux 7.3
RedHat Enterprise Linux WS 3
RedHat Enterprise Linux WS 2.1 IA64
RedHat Enterprise Linux WS 2.1
RedHat Enterprise Linux ES 3
RedHat Enterprise Linux ES 2.1 IA64
RedHat Enterprise Linux ES 2.1
RedHat Desktop 3.0
RedHat Advanced Workstation for the Itanium Processor 2.1 IA64
RedHat Advanced Workstation for the Itanium Processor 2.1
Red Hat Fedora Core3
Red Hat Fedora Core2
Red Hat Fedora Core1
Red Hat Enterprise Linux AS 3
Red Hat Enterprise Linux AS 2.1 IA64
Red Hat Enterprise Linux AS 2.1
Netscape Netscape 7.2
Netscape Netscape 7.1
Netscape Netscape 7.0
Mozilla Thunderbird 0.8
Mozilla Thunderbird 0.7.3
Mozilla Thunderbird 0.7.2
Mozilla Thunderbird 0.7.1
Mozilla Thunderbird 0.7
Mozilla Thunderbird 0.6
Mozilla Firefox 0.10.1
Mozilla Firefox 0.10
Mozilla Firefox 0.9.3
Mozilla Firefox 0.9.2
Mozilla Firefox 0.9.1
Mozilla Firefox 0.9 rc
Mozilla Firefox 0.9
Mozilla Firefox Preview Release
Mozilla Browser 1.8 Alpha 4
Mozilla Browser 1.8 Alpha 3
Mozilla Browser 1.8 Alpha 2
Mozilla Browser 1.8 Alpha 1
Mozilla Browser 1.7.3
+ HP HP-UX B.11.23
+ HP HP-UX B.11.22
+ HP HP-UX B.11.22
+ HP HP-UX B.11.11
+ HP HP-UX B.11.11
+ HP HP-UX B.11.11
+ HP HP-UX B.11.11
+ HP HP-UX B.11.00
+ HP HP-UX B.11.00
+ HP Tru64 5.1 B-2 PK4 (BL25)
+ HP Tru64 5.1 B-2 PK4 (BL25)
+ HP Tru64 5.1 B-2 PK4
+ HP Tru64 5.1 B-2 PK4
+ HP Tru64 5.1 B PK4
+ HP Tru64 5.1 B PK4
+ HP Tru64 5.1 A PK6 (BL24)
+ HP Tru64 5.1 A PK6 (BL24)
+ HP Tru64 5.1 A PK6
+ HP Tru64 5.1 A PK6
Mozilla Browser 1.7.2
Mozilla Browser 1.7.1
Mozilla Browser 1.7 rc3
Mozilla Browser 1.7 rc2
Mozilla Browser 1.7 rc1
Mozilla Browser 1.7 beta
Mozilla Browser 1.7 alpha
Mozilla Browser 1.7
Netscape Netscape 8.0
Mozilla Browser 1.7.6
+ HP HP-UX B.11.23
+ HP HP-UX B.11.23
+ HP HP-UX B.11.22
+ HP HP-UX B.11.22
+ HP HP-UX B.11.11
+ HP HP-UX B.11.11
+ HP HP-UX B.11.11
+ HP HP-UX B.11.11
+ HP HP-UX B.11.00
+ HP HP-UX B.11.00
+ Red Hat Enterprise Linux AS 4
+ Red Hat Enterprise Linux AS 4
+ RedHat Desktop 4.0
+ RedHat Desktop 4.0
+ RedHat Enterprise Linux ES 4
+ RedHat Enterprise Linux ES 4
+ RedHat Enterprise Linux WS 4
+ RedHat Enterprise Linux WS 4
+ Turbolinux Home
+ Turbolinux Home
+ Turbolinux Turbolinux 10 F...
+ Turbolinux Turbolinux Desktop 10.0
+ Turbolinux Turbolinux Desktop 10.0
+ Turbolinux Turbolinux Server 10.0
+ Turbolinux Turbolinux Server 10.0

- 不受影响的程序版本

Netscape Netscape 8.0
Mozilla Browser 1.7.6
+ HP HP-UX B.11.23
+ HP HP-UX B.11.23
+ HP HP-UX B.11.22
+ HP HP-UX B.11.22
+ HP HP-UX B.11.11
+ HP HP-UX B.11.11
+ HP HP-UX B.11.11
+ HP HP-UX B.11.11
+ HP HP-UX B.11.00
+ HP HP-UX B.11.00
+ Red Hat Enterprise Linux AS 4
+ Red Hat Enterprise Linux AS 4
+ RedHat Desktop 4.0
+ RedHat Desktop 4.0
+ RedHat Enterprise Linux ES 4
+ RedHat Enterprise Linux ES 4
+ RedHat Enterprise Linux WS 4
+ RedHat Enterprise Linux WS 4
+ Turbolinux Home
+ Turbolinux Home
+ Turbolinux Turbolinux 10 F...
+ Turbolinux Turbolinux Desktop 10.0
+ Turbolinux Turbolinux Desktop 10.0
+ Turbolinux Turbolinux Server 10.0
+ Turbolinux Turbolinux Server 10.0

- 漏洞讨论

Mozilla, Mozilla Firefox, and Mozilla Thunderbird are all reported susceptible to an information-disclosure vulnerability. The applications fail to properly ensure secure file permissions on temporary files located in world-accessible locations.

This vulnerability allows local attackers to access the contents of potentially sensitive files, which may aid them in further attacks.

- 漏洞利用

An exploit is not required.

- 解决方案

Please see the referenced advisories for further information.


Red Hat Fedora Core2

Mozilla Browser 1.7

Mozilla Browser 1.7.3

S.u.S.E. Linux Professional 10.0

Netscape Netscape 7.0

Netscape Netscape 7.1

Netscape Netscape 7.2

S.u.S.E. Linux Professional 9.1

S.u.S.E. Linux Professional 9.2

S.u.S.E. Linux Professional 9.3

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站