CVE-2006-1468
CVSS5.0
发布时间 :2006-06-27 17:05:00
修订时间 :2011-03-07 00:00:00
NMCOS    

[原文]Unspecified vulnerability in Apple File Protocol (AFP) server in Apple Mac OS X 10.4 up to 10.4.6 includes the names of restricted files and folders within search results, which might allow remote attackers to obtain sensitive information.


[CNNVD]Apple Mac OS X AFP服务 信息泄露漏洞(CNNVD-200606-546)

        Apple Mac OS X是苹果家族机器所使用的操作系统。
        Apple Mac OS X 10.4 至 10.4.6中的 AFP服务存在未明漏洞,在搜索结果中包括受限制的文件和文件夹名称,可能允许远程攻击者获得敏感信息。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/o:apple:mac_os_x:10.4.2Apple Mac OS X 10.4.2
cpe:/o:apple:mac_os_x:10.4Apple Mac OS X 10.4
cpe:/o:apple:mac_os_x:10.4.6Apple Mac OS X 10.4.6
cpe:/o:apple:mac_os_x:10.4.3Apple Mac OS X 10.4.3
cpe:/o:apple:mac_os_x:10.4.1Apple Mac OS X 10.4.1
cpe:/o:apple:mac_os_x:10.4.5Apple Mac OS X 10.4.5
cpe:/o:apple:mac_os_x:10.4.4Apple Mac OS X 10.4.4

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1468
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-1468
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200606-546
(官方数据源) CNNVD

- 其它链接及资源

http://lists.apple.com/archives/security-announce/2006/Jun/msg00000.html
(PATCH)  APPLE  APPLE-SA-2006-06-27
http://xforce.iss.net/xforce/xfdb/27477
(UNKNOWN)  XF  macosx-afp-information-disclosure(27477)
http://www.vupen.com/english/advisories/2006/2566
(VENDOR_ADVISORY)  VUPEN  ADV-2006-2566
http://www.securityfocus.com/bid/18733
(UNKNOWN)  BID  18733
http://www.securityfocus.com/bid/18686
(UNKNOWN)  BID  18686
http://www.osvdb.org/26930
(UNKNOWN)  OSVDB  26930
http://securitytracker.com/id?1016395
(UNKNOWN)  SECTRACK  1016395
http://secunia.com/advisories/20877
(VENDOR_ADVISORY)  SECUNIA  20877

- 漏洞信息

Apple Mac OS X AFP服务 信息泄露漏洞
中危 访问验证错误
2006-06-27 00:00:00 2006-07-03 00:00:00
本地  
        Apple Mac OS X是苹果家族机器所使用的操作系统。
        Apple Mac OS X 10.4 至 10.4.6中的 AFP服务存在未明漏洞,在搜索结果中包括受限制的文件和文件夹名称,可能允许远程攻击者获得敏感信息。
        

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        http://www.apple.com/support/downloads/

- 漏洞信息

26930
Apple Mac OS X Apple File Protocol (AFP) Server Search Result Information Disclosure
Remote / Network Access Information Disclosure
Loss of Confidentiality
Exploit Public

- 漏洞描述

Mac OS X contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a user performs a search in an AFP share, which will disclose filenames for which the user has no permission resulting in a loss of confidentiality.

- 时间线

2006-06-26 Unknow
2006-06-26 Unknow

- 解决方案

For 10.4 - 10.4.6, upgrade to version 10.4.7 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds. For versions 10.3 - 10.3.9, Apple has released a patch (Security Update 2006-004) to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Retired: Apple Mac OS X Multiple Security Vulnerabilities
Unknown 18686
Yes Yes
2006-06-27 12:00:00 2006-06-30 03:44:00
These issues were disclosed by the vendor.

- 受影响的程序版本

Apple Mac OS X Server 10.4.6
Apple Mac OS X Server 10.4.5
Apple Mac OS X Server 10.4.4
Apple Mac OS X Server 10.4.3
Apple Mac OS X Server 10.4.2
Apple Mac OS X Server 10.4.1
Apple Mac OS X Server 10.4
Apple Mac OS X 10.4.6
Apple Mac OS X 10.4.5
Apple Mac OS X 10.4.4
Apple Mac OS X 10.4.3
Apple Mac OS X 10.4.2
Apple Mac OS X 10.4.1
Apple Mac OS X 10.4
Apple Mac OS X Server 10.4.7
Apple Mac OS X 10.4.7

- 不受影响的程序版本

Apple Mac OS X Server 10.4.7
Apple Mac OS X 10.4.7

- 漏洞讨论

Mac OS X is prone to multiple security vulnerabilities:

- Information-disclosure issue
- Buffer-overflow and potential denial-of-service issues
- Format-string vulnerability
- Denial-of-service issue in Open Directory

Apple has released Mac OS X version 10.4.7 to address these issues.

This BID has been seperated into the following BIDs and is therefore being retired:
BID 18733 (Apple Mac OS X AFP Information Disclosure Vulnerability)
BID 18728 (Apple Mac OS X OpenLDAP Denial Of Service Vulnerability)
BID 18724 (Apple Mac OS X LaunchD Local Format String Vulnerability)
BID 18731 (Apple Mac OS X ImageIO TIFF Images Remote Buffer Overflow Vulnerability).

- 漏洞利用

Exploit code has been released for the launchd format string issue.

Some of these issues do not require exploits.

- 解决方案

The vendor has released OS X version 10.4.7 to address these issues.


Apple Mac OS X Server 10.4

Apple Mac OS X 10.4

Apple Mac OS X Server 10.4.1

Apple Mac OS X 10.4.1

Apple Mac OS X 10.4.2

Apple Mac OS X Server 10.4.2

Apple Mac OS X 10.4.3

Apple Mac OS X Server 10.4.3

Apple Mac OS X Server 10.4.4

Apple Mac OS X 10.4.4

Apple Mac OS X Server 10.4.5

Apple Mac OS X 10.4.5

Apple Mac OS X Server 10.4.6

Apple Mac OS X 10.4.6

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站