漏洞信息详情
Netscape企业Web服务器蛮力授权攻击漏洞
- CNNVD编号:CNNVD-200212-596
- 危害等级: 高危
- CVE编号: CVE-2002-1654
- 漏洞类型: 设计错误
- 发布时间: 2002-12-31
- 威胁类型: 远程
- 更新时间: 2006-09-05
- 厂 商: netscape
- 漏洞来源: Discovered by Rich...
漏洞简介
iPlanet Web服务器企业版和 Netscape企业版服务器4.0和4.1版本存在漏洞。远程攻击者可以借助wp-force-auth Web Publisher命令执行HTTP基本认证,该漏洞提供不同的攻击向量并可能更容易在无探测时执行暴力密码猜测。
漏洞公告
The following solution has been taken from the iPlanet KnowlEdge Base Article ID: 7764: When you enable web publishing, you should treat the web server as an environment that must be secured. Ensure that users follow proper password policies such as using hard to guess passwords. If intruder detection software is used, it should be configured to check for ?wp-force-auth requests. HTTP basic authentication is generally not considered a secure mechanism and should be run over a SSL-enabled port. In addition, access logs should be monitored for suspicious requests. A better alternative would be to use client certificates, which are much more secure.
参考网址
来源:US-CERT Vulnerability Note: VU#985347 名称: VU#985347 链接:http://www.kb.cert.org/vuls/id/985347 来源: XF 名称: netscape-enterprise-http-brute-force(7845) 链接:http://xforce.iss.net/xforce/xfdb/7845 来源: BID 名称: 3831 链接:http://www.securityfocus.com/bid/3831 来源: www.securiteam.com 链接:http://www.securiteam.com/securitynews/5IP0G0060Q.HTML 来源: SECTRACK 名称: 1003157 链接:http://securitytracker.com/id?1003157 来源: VULNWATCH 名称: 20020109 Netscape publishing wp-force-auth command 链接:http://lists.virus.org/vulnwatch-0201/msg00008.HTML 来源: www.kb.cert.org 链接:http://www.kb.cert.org/vuls/id/AAMN-567NFX
受影响实体
- Netscape Enterprise_server:3.5
- Netscape Enterprise_server:3.6
- Netscape Enterprise_server:3.4
- Netscape Enterprise_server:3.2
- Netscape Enterprise_server:3.3
补丁
暂无
评论