发布时间 :2006-03-07 16:06:00
修订时间 :2011-03-07 21:31:53

[原文]Unspecified vulnerability in lurker.cgi for Lurker 2.0 and earlier allows attackers to read arbitrary files via unknown vectors.

[CNNVD]Lurker 'lurker.cgi' 多个输入验证漏洞(CNNVD-200603-086)

        Lurker 2.0和更早期版本的lurker.cgi中的不明漏洞允许攻击者通过不明矢量阅读任意文件。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  VUPEN  ADV-2006-0850
(VENDOR_ADVISORY)  MLIST  [Lurker-users] 20060302 Serious security vulnerabilities found
(UNKNOWN)  XF  lurker-lurker-information-disclosure(25149)
(UNKNOWN)  BID  17003

- 漏洞信息

Lurker 'lurker.cgi' 多个输入验证漏洞
中危 输入验证
2006-03-07 00:00:00 2006-03-08 00:00:00
        Lurker 2.0和更早期版本的lurker.cgi中的不明漏洞允许攻击者通过不明矢量阅读任意文件。

- 公告与补丁

        Lurker Lurker 2.0
        Lurker lurker-2.1.tar.gz
        Lurker Lurker 0.1a
        Lurker lurker-2.1.tar.gz
        Lurker Lurker 1.2
        Debian lurker_1.2-5sarge1_alpha.deb
        Debian GNU/Linux 3.1 alias sarge
        Debian lurker_1.2-5sarge1_amd64.debDebian GNU/Linux 3.1 alias sarge
        Debian lurker_1.2-5sarge1_arm.debDebian GNU/Linux 3.1 alias sarge
        Debian lurker_1.2-5sarge1_hppa.debDebian GNU/Linux 3.1 alias sarge
        Debian lurker_1.2-5sarge1_i386.debDebian GNU/Linux 3.1 alias sarge
        Debian lurker_1.2-5sarge1_ia64.debDebian GNU/Linux 3.1 alias sarge
        Debian lurker_1.2-5sarge1_m68k.debDebian GNU/Linux 3.1 alias sarge
        Debian lurker_1.2-5sarge1_mips.debDebian GNU/Linux 3.1 alias sarge
        Debian lurker_1.2-5sarge1_mipsel.debDebian GNU/Linux 3.1 alias sarge
        Debian lurker_1.2-5sarge1_powerpc.debDebian GNU/Linux 3.1 alias sarge
        Debian lurker_1.2-5sarge1_s390.debDebian GNU/Linux 3.1 alias sarge
        Debian lurker_1.2-5sarge1_sparc.debDebian GNU/Linux 3.1 alias sarge

- 漏洞信息

Lurker lurker.cgi Arbitrary File Access
Vendor Verified

- 漏洞描述

Unknown or Incomplete

- 时间线

2006-03-06 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 2.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Lurker Multiple Input Validation Vulnerabilities
Input Validation Error 17003
Yes No
2006-03-07 12:00:00 2006-12-15 07:48:00
The vendor credits Moritz Naumann with the discovery of these issues.

- 受影响的程序版本

Lurker Lurker 2.0
Lurker Lurker 1.2
Lurker Lurker 0.1a
Debian Linux 3.1 sparc
Debian Linux 3.1 s/390
Debian Linux 3.1 ppc
Debian Linux 3.1 mipsel
Debian Linux 3.1 mips
Debian Linux 3.1 m68k
Debian Linux 3.1 ia-64
Debian Linux 3.1 ia-32
Debian Linux 3.1 hppa
Debian Linux 3.1 arm
Debian Linux 3.1 amd64
Debian Linux 3.1 alpha
Debian Linux 3.1
Lurker Lurker 2.1

- 不受影响的程序版本

Lurker Lurker 2.1

- 漏洞讨论

Lurker is prone to multiple input-validation vulnerabilities. These issues are due to failures in the application to properly sanitize user-supplied input.

An attacker may leverage these issues to retrieve arbitrary files, overwrite arbitrary files, and have arbitrary script code executed in the browser of an unsuspecting user, all in the context of the affected site. This may facilitate a compromise of the application and the theft of cookie-based authentication credentials as well as other attacks.

- 漏洞利用

This issue can be exploited via a web client.

- 解决方案

The vendor has released version 2.1 to address these issues.

Lurker Lurker 2.0

Lurker Lurker 0.1a

Lurker Lurker 1.2

- 相关参考