漏洞信息详情
Rockliffe MailSite Express不完全的黑名单漏洞
- CNNVD编号:CNNVD-200511-098
- 危害等级: 低危
- CVE编号: CVE-2005-3430
- 漏洞类型: 设计错误
- 发布时间: 2005-10-31
- 威胁类型: 远程
- 更新时间: 2005-11-15
- 厂 商: rockliffe
- 漏洞来源: Paul Craig headpi...
漏洞简介
MailSite Express是一款免费的邮件服务程序。
Rockliffe MailSite Express 6.1.22以前的版本允许远程攻击者通过给文件以指定的扩展名如 (1) .unk, (2) .asa, and possibly (3) .htr and (4) .aspx,来上传并执行任意的脚本文件,这是由于没有像.asp一样的过滤造成的。
漏洞公告
目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
http://www.oracle.com/technology/deploy/security/pdf/cpuoct2005.HTML
http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=333956.1
http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=333959.1
http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=333961.1
http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=333963.1
http://www.peoplesoft.com/corp/en/support/security_index.jsp
参考网址
来源: MISC
链接:http://www.security-assessment.com/Advisories/Rockliffe_Express_Webmail_Vulnerabilities.pdf
来源: BUGTRAQ
名称: 20051028 Multiple vulnerabilities within RockLiffe MailSite Express WebMail
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=113053680631151&w=2
来源: FULLDISC
名称: 20051028 Multiple vulnerabilities within RockLiffe MailSite Express WebMail
链接:http://archives.neohapsis.com/archives/fulldisclosure/2005-10/0578.HTML
来源: XF
名称: mailsiteexpress-attachment-script-execution(22907)
链接:http://xforce.iss.net/xforce/xfdb/22907
来源: BID
名称: 15230
链接:http://www.securityfocus.com/bid/15230
来源: SECTRACK
名称: 1015117
链接:http://securitytracker.com/id?1015117
来源: SECUNIA
名称: 17240
链接:http://secunia.com/advisories/17240/
来源: BUGTRAQ
名称: 20051028 Multiple vulnerabilities within RockLiffe MailSite Express WebMail
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=113053680631151&w=2
受影响实体
- Rockliffe Mailsite_express:6.1.20
- Rockliffe Mailsite_express:6.1.21
补丁
暂无
评论