[原文]Certain BSD-based Telnet clients, including those used on Solaris and SuSE Linux, allow remote malicious Telnet servers to read sensitive environment variables via the NEW-ENVIRON option with a SEND ENV_USERVAR command.
Multiple Vendor Telnet Client NEW-ENVIRON Variable Information Disclosure
Loss of Confidentiality
Microsoft has released a patch to address this vulnerability. Additionally, it is possible to temporarily work around the flaw by implementing the following workaround: For Windows based platforms, disabling the Telnet handler or specifying a different application to handle Telnet URL's can mitigate URL based
attacks. This can be accomplished by removing or modifying the following
This workaround should prevent automatic exploitation attempts. It does
not fix the underlying issue.