CVE-2006-1050
CVSS2.1
发布时间 :2006-03-07 15:02:00
修订时间 :2008-09-05 17:00:54
NMCO    

[原文]** DISPUTED ** Kwik-Pay Payroll 4.2.20, and possibly other versions, stores the KwikPay.mdb database file with insecure permissions, which allows local users to obtain sensitive information such as employment and payment data. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. NOTE: the vendor has disputed this vulnerability, stating that "The kwikpay.mdb file supplied with kwikpay is a template for the database structure of user databases created by kwikpay and to store a demonstration payroll. It does not contain any sensitive user information. When a user payroll database is opened, the encryption of the database is checked and if the database is not encrypted, the user is prompted to encrypt the database, but the choice is the customers."


[CNNVD] Kwik 'KwikPay.mdb'数据库加密漏洞(CNNVD-200603-097)

        ** 有争议 ** Kwik-支付工资表 4.2.20(可能还有其它版本),存储带非安全许可的KwikPay.mdb数据库文件,从而允许本地用户获得诸如雇佣和工资数据等敏感资料。注:此信息来源未知;详情由第三方来源独自提供。注: 供应商对该漏洞有异议,指出"与kwikpay一起提供的kwikpay.mdb 文件是一个用于由kwikpay创建的用户数据库结构的模板并存储一个演示工资表。它并不包含任何敏感用户消息。当打开一个用户工资数据库时,要检查数据库加密,如果数据库没有加密,就会向用户提示加密数据库,是否加密由用户选择"。

- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1050
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-1050
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200603-097
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/25114
(UNKNOWN)  XF  kwikpay-payroll-insecure-permissions(25114)
http://www.osvdb.org/23617
(UNKNOWN)  OSVDB  23617
http://secunia.com/advisories/19075
(VENDOR_ADVISORY)  SECUNIA  19075

- 漏洞信息

Kwik 'KwikPay.mdb'数据库加密漏洞
低危 未知
2006-03-07 00:00:00 2007-08-27 00:00:00
本地  
        ** 有争议 ** Kwik-支付工资表 4.2.20(可能还有其它版本),存储带非安全许可的KwikPay.mdb数据库文件,从而允许本地用户获得诸如雇佣和工资数据等敏感资料。注:此信息来源未知;详情由第三方来源独自提供。注: 供应商对该漏洞有异议,指出"与kwikpay一起提供的kwikpay.mdb 文件是一个用于由kwikpay创建的用户数据库结构的模板并存储一个演示工资表。它并不包含任何敏感用户消息。当打开一个用户工资数据库时,要检查数据库加密,如果数据库没有加密,就会向用户提示加密数据库,是否加密由用户选择"。

- 公告与补丁

        

- 漏洞信息

23617
Kwik-Pay Payroll Payroll and Employment Information Disclosure
Local Access Required Information Disclosure
Loss of Confidentiality
Exploit Public

- 漏洞描述

Kwik-Pay Payroll contains a flaw that may lead to an unauthorized information disclosure. The issue is due to employment and payment information being stored in database files with insecure file permissions in the installation directory, which is accessible by any local user on the system.

- 时间线

2006-03-03 Unknow
2006-03-03 Unknow

- 解决方案

Upgrade to version 4.2.22 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站