CVE-2006-1079
CVSS7.2
发布时间 :2006-03-08 19:02:00
修订时间 :2016-10-17 23:39:22
NMCO    

[原文]htpasswd, as used in Acme thttpd 2.25b and possibly other products such as Apache, might allow local users to gain privileges via shell metacharacters in a command line argument, which is used in a call to the system function. NOTE: since htpasswd is normally installed as a non-setuid program, and the exploit is through command line options, perhaps this issue should not be included in CVE. However, if there are some typical or recommended configurations that use htpasswd with sudo privileges, or common products that access htpasswd remotely, then perhaps it should be included.


[CNNVD]Acme Labs thttpd HTPasswd多个漏洞(CNNVD-200603-117)

        htpasswd,当用于Acme thttpd 2.25b和可能其它诸如Apache产品中,远程用户可能通过命令行参数中的Shell元字符(用于对系统函数调用)获得特权。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CWE (弱点类目)

CWE-264 [权限、特权与访问控制]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1079
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-1079
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200603-117
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=thttpd&m=114153031201867&w=2
(UNKNOWN)  MLIST  [thttpd] 20060305 htpasswd.c security issues
http://marc.info/?l=thttpd&m=114154083000296&w=2
(UNKNOWN)  MLIST  [thttpd] 20060305 Re: htpasswd.c security issues
http://www.securityfocus.com/archive/1/archive/1/426823/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060305 htpasswd bufferoverflow and command execution in thttpd-2.25b.
http://www.securityfocus.com/bid/16972
(UNKNOWN)  BID  16972
http://xforce.iss.net/xforce/xfdb/25217
(UNKNOWN)  XF  thttpd-command-line-bo(25217)

- 漏洞信息

Acme Labs thttpd HTPasswd多个漏洞
高危 权限许可和访问控制
2006-03-08 00:00:00 2006-08-03 00:00:00
本地  
        htpasswd,当用于Acme thttpd 2.25b和可能其它诸如Apache产品中,远程用户可能通过命令行参数中的Shell元字符(用于对系统函数调用)获得特权。

- 公告与补丁

        目前厂商还没有提供此漏洞的相关补丁或者升级程序,建议使用此软件的用户随时关注厂商的主页以获取最新版本.

- 漏洞信息

60381
thttpd htpasswd Command Line Argument Shell Metachracter Arbitrary Command Execution
Local Access Required Input Manipulation
Loss of Integrity Solution Unknown

- 漏洞描述

htpasswd if used with sudo or wrapped by a cgi can be manipulated into executing other commands by supplying shell meta characters on the command line.

- 时间线

2006-03-05 Unknow
Unknow Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站