NewAtlanta ServletExec/ISAPI远程文件泄露漏洞

NewAtlanta ServletExec/ISAPI远程文件泄露漏洞

漏洞ID 1106738 漏洞类型 输入验证
发布时间 2002-05-22 更新时间 2005-10-20
图片[1]-NewAtlanta ServletExec/ISAPI远程文件泄露漏洞-安全小百科CVE编号 CVE-2002-0893
图片[2]-NewAtlanta ServletExec/ISAPI远程文件泄露漏洞-安全小百科CNNVD-ID CNNVD-200210-171
漏洞平台 Windows CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/21470
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200210-171
|漏洞详情
ServletExec/ISAPI是一款运行在MicrosoftIISWEB平台下的JavaServlet/JSP引擎插件,可使用在MicrosoftWindowsNT/2000/XP系统下的IISWEB服务程序中。ServletExec/ISAPI对用户提交的特殊URL请求处理不够正确,可导致远程攻击者访问Web主目录中任意文件的内容。ServletExec/ISAPI对unicode编码处理不正确,攻击者可以提交包含unicode字符的特殊URL请求,以Web进程的权限查看Web主目录中任意文件内容,导致敏感信息泄露,攻击者可以利用此漏洞得到的信息进一步对系统进行攻击。
|漏洞EXP
source: http://www.securityfocus.com/bid/4795/info

ServletExec/ISAPI is a plug-in Java Servlet/JSP engine for Microsoft IIS. It runs with IIS on Microsoft Windows NT/2000/XP systems.

ServletExec/ISAPI will disclose the contents of arbitrary files within the webroot directory by sending a request containing URL encoded directory traversal sequences. While this will cause the software to serve files within wwwroot that normally would not be served, it does not appear possible to exploit this condition to break out of the webroot.

http://target/servlet/com.newatlanta.servletexec.JSP10Servlet/..%5c..%5cglobal.asa
|参考资料

来源:BID
名称:4795
链接:http://www.securityfocus.com/bid/4795
来源:XF
名称:servletexec-dotdot-directory-traversal(9140)
链接:http://www.iss.net/security_center/static/9140.php
来源:BUGTRAQ
名称:20020522MultiplevulnerabilitiesinNewAtlantaServletExecISAPI4.1
链接:http://online.securityfocus.com/archive/1/273615
来源:VULNWATCH
名称:20020522[VulnWatch]MultiplevulnerabilitiesinNewAtlantaServletExecISAPI4.1
链接:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0077.html

相关推荐: NT Screensaver Vulnerability

NT Screensaver Vulnerability 漏洞ID 1104846 漏洞类型 Failure to Handle Exceptional Conditions 发布时间 1999-03-10 更新时间 1999-03-10 CVE编号 N/A …

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享