CVE-2005-0549
CVSS4.3
发布时间 :2005-05-02 00:00:00
修订时间 :2016-10-17 23:12:39
NMCOP    

[原文]Cross-site scripting (XSS) vulnerability in Solaris AnswerBook2 Documentation 1.4.4 and earlier allows remote attackers to inject arbitrary web script or HTML via the "View Log Files" function.


[CNNVD]Sun AnswerBook2 多个安全漏洞(CNNVD-200505-193)

         1. AnswerBook2的搜索功能动态的生成web页面,这可能允许执行脚本,或向用户提供恶意的HTML。如果用户跟随了链接到AnswerBook2搜索结果的网页,邮件消息或新闻组张贴中不可信任的链接/URI的话,就可能在他们的浏览器中无意中执行远程普通用户编写的脚本。远程攻击者可以通过这些不可信任的链接/URI以访问链接/URI用户的权限执行任意命令。
        
         2. AnswerBook2基于浏览器的管理界面(GUI)中的"浏览日志文件"功能可能受跨站脚本攻击的影响。由于这个漏洞,访问"浏览日志文件"功能的AnswerBook2管理员可能无意中执行本地或远程普通用户编写的脚本。命令会以正在使用AnswerBook2基于浏览器的管理GUI用户的权限执行,可能是特权用户。
        

- CVSS (基础分值)

CVSS分值: 4.3 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0549
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0549
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-193
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=111205163531628&w=2
(UNKNOWN)  BUGTRAQ  20050328 Multiple XSS issues in Sun AnswerBook2
http://sunsolve.sun.com/search/document.do?assetkey=1-26-57737-1
(VENDOR_ADVISORY)  SUNALERT  57737
http://sunsolve.sun.com/search/document.do?assetkey=1-77-1000230.1-1
(UNKNOWN)  SUNALERT  1000230

- 漏洞信息

Sun AnswerBook2 多个安全漏洞
中危 跨站脚本
2005-05-02 00:00:00 2005-10-20 00:00:00
远程  
         1. AnswerBook2的搜索功能动态的生成web页面,这可能允许执行脚本,或向用户提供恶意的HTML。如果用户跟随了链接到AnswerBook2搜索结果的网页,邮件消息或新闻组张贴中不可信任的链接/URI的话,就可能在他们的浏览器中无意中执行远程普通用户编写的脚本。远程攻击者可以通过这些不可信任的链接/URI以访问链接/URI用户的权限执行任意命令。
        
         2. AnswerBook2基于浏览器的管理界面(GUI)中的"浏览日志文件"功能可能受跨站脚本攻击的影响。由于这个漏洞,访问"浏览日志文件"功能的AnswerBook2管理员可能无意中执行本地或远程普通用户编写的脚本。命令会以正在使用AnswerBook2基于浏览器的管理GUI用户的权限执行,可能是特权用户。
        

- 公告与补丁

        暂无数据

- 漏洞信息 (F36842)

answerbook2.txt (PacketStormID:F36842)
2005-03-29 00:00:00
Thomas Liam Romanis  
exploit,xss
CVE-2005-0548,CVE-2005-0549
[点击下载]

PTT Security Advisory - Sun Answerbook2 version 1.4.4 is susceptible to cross site scripting and administration attacks. Exploitation provided.

PTT SECURITY ADVISORY
DATE: 08-02-2005
AUTHOR: THOMAS LIAM ROMANIS
CURRENT EMPLOYER: Echelon Ltd
VENDOR: Sun
PRODUCT: Sun AnswerBook2
VERSION(S) TESTED: 1.4.4 on Solaris 8.0 (Sparc)
TITLE: Multiple issues in Sun Answerbook2 [Full Disclosure].

Summary.

A number of issues have been identified in Sun Answerbook2. The first is AN xss issue in the Sun Answerbook2 Search function and the other is an attack vector issue in the administrative function for viewing Access and Error log files.

Detail.

1. XSS issue in Sun Answerbook2 Search function.[CAN-2005-0548]
This issue could be used for misinformation purposes but probably little else. As a result the impact of this issue is likely to be low. 

http://192.168.197.91:8888/ab2/Help_C/@Ab2HelpSearch?scope=HELP&DwebQuery=%3Cscript%3Ealert%28%22hello%22%
29%3C%2Fscript%3E&Search=+Search+

It is possible that Sun AnswerBook2 could be hosted on an Internet facing Web Server. In this case, depending on the function of the server, a more serious exposure could result. 

2. Administration Attack Vector issue.[CAN-2005-0549]
When the Answerbook2 administrator opts to view the Access log file ( /var/log/ab2/logs/access-8888.log) or Error log file ( /var/log/ab2/logs/access-8888.log) the file is displayed as HTML rather than plain text. As a result a number of different methods could be used to launch attacks against the Answerbook2 administrator. For example, If an XSS attempt has been made on another part of the application, even if it was not immediately successful, it will execute during the display of the Access or Error log files. Thus attacks could be waged via browser vulnerabilities against the Sun AnswerBook2 Administrator who may have escalated privileges on the host operating system.

http://192.168.197.91:8888/ab2/@Ab2Admin?command=view_access

Remedial Action.

The AnswerBook2 server is no longer shipped as of Solaris 9. The Solaris 9 Release Notes list the feature 

removal here: 

http://docs.sun.com/app/docs/doc/806-5195/6je7ls079?s=t&a=view

Thus Solaris 9 and 10 are not impacted by this issue. Solaris 7 and 8 are the other currently supported 

releases of Solaris and they are impacted by this issue. Sun isn't planning on producing further patches for 

the AnswerBook2 server on Solaris 7 and 8 at this time. The Sun Alert recommends disabling AnswerBook2 and 

using other sources of documentation, namely the Solaris Documentation CD and online formats at 

http://docs.sun.com.

The Alert Released by Sun can be found at:

http://sunsolve.sun.com/search/document.do?assetkey=1-26-57737-1

    

- 漏洞信息

14634
Sun AnswerBook2 View Log File Function XSS
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

- 时间线

2005-03-09 Unknow
Unknow Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站