Yak!远程目录遍历漏洞

Yak!远程目录遍历漏洞

漏洞ID 1108222 漏洞类型 输入验证
发布时间 2004-10-15 更新时间 2005-10-20
图片[1]-Yak!远程目录遍历漏洞-安全小百科CVE编号 CVE-2004-2184
图片[2]-Yak!远程目录遍历漏洞-安全小百科CNNVD-ID CNNVD-200412-677
漏洞平台 Windows CVSS评分 6.4
|漏洞来源
https://www.exploit-db.com/exploits/24684
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200412-677
|漏洞详情
Yak!是一款聊天程序并可交换文件。Yak!内置的FTP服务程序对上传功能处理不正确,远程攻击者可以利用这个漏洞进行目录遍历攻击。内置的FTP服务程序对用户提交的命令缺少充分过滤,提交包含多个’../’字符的数据,可绕过目录限制,利用上传功能可以覆盖系统任意文件,造成拒绝服务。
|漏洞EXP
source: http://www.securityfocus.com/bid/11433/info

Yak! Chat Client FTP server is reported prone to a remote directory traversal vulnerability. This issue presents itself due to insufficient sanitization of user-supplied data.

This issue can ultimately allow an attacker to compromise a computer by placing malicious files on the system and executing these files through other means.

Yak! 2.1.2 and prior versions are reported vulnerable to this issue.

dir /
dir ../../windows/

put
evil.exe
../../windows/calc.exe
|参考资料

来源:BID
名称:11433
链接:http://www.securityfocus.com/bid/11433
来源:BUGTRAQ
名称:20041015DirectorytraversalinYak!2.1.2
链接:http://www.securityfocus.com/archive/1/378533
来源:aluigi.altervista.org
链接:http://aluigi.altervista.org/adv/yak-adv.txt
来源:XF
名称:yak-directory-traversal(17740)
链接:http://xforce.iss.net/xforce/xfdb/17740
来源:OSVDB
名称:10763
链接:http://www.osvdb.org/10763
来源:SECTRACK
名称:1011708
链接:http://securitytracker.com/id?1011708
来源:SECUNIA
名称:12849
链接:http://secunia.com/advisories/12849
来源:FULLDISC
名称:20041015DirectorytraversalinYak!2.1.2
链接:http://marc.theaimsgroup.com/?l=full-disclosure&m;=109788315103778&w;=2
来源:NSFOCUS
名称:7029
链接:http://www.nsfocus.net/vulndb/7029

相关推荐: BEA WebLogic Incorrect Operator Permissions Password Disclosure Vulnerability

BEA WebLogic Incorrect Operator Permissions Password Disclosure Vulnerability 漏洞ID 1099013 漏洞类型 Configuration Error 发布时间 2004-01-2…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享