国产av日韩一区二区三区精品,成人性爱视频在线观看,国产,欧美,日韩,一区,www.成色av久久成人,2222eeee成人天堂

Home php教程 php手冊(cè) CGI安全漏洞資料速查 v1.0(轉(zhuǎn)二)

CGI安全漏洞資料速查 v1.0(轉(zhuǎn)二)

Jun 21, 2016 am 09:12 AM
cgi web

cgi|安全|安全漏洞

26
類型: 攻擊型
名字: webwho.pl
風(fēng)險(xiǎn)等級(jí): 中
描述: 如果在您的Web可執(zhí)行目錄中有webwho.pl這個(gè)CGI腳本,那么入侵者將能利用他閱讀啟動(dòng)Web的用戶能讀寫執(zhí)行的任何文件。
建議: 將webwho.pl從您的Web目錄中刪除或移走
解決方法: 將webwho.pl從您的Web目錄中刪除或移走

_____________________________________________________________________________________

27
類型: 攻擊型
名字: w3-msql
風(fēng)險(xiǎn)等級(jí): 低
描述: MiniSQL軟件包發(fā)行版本附帶的一個(gè)CGI(w3-msql)可被用于以httpd的uid權(quán)限執(zhí)行任意代碼。這個(gè)安全漏洞是由程序中的scanf()函數(shù)引起的。
建議: 如果您安裝了MiniSQL軟件包,請(qǐng)您將/cgi-bin/目錄下的w3-msql文件刪除或移走
解決方法: 如果您安裝了MiniSQL軟件包,請(qǐng)您將/cgi-bin/目錄下的w3-msql文件刪除或移走.或使用以下補(bǔ)丁。

補(bǔ)丁:

------ w3-msql.patch ---------

410c410
---
> scanf("%128s ", boundary);
418c418
---
> strncat(var, buffer,sizeof(buffer));
428c428
---
> scanf(" Content-Type: %15360s ", buffer);

------ w3-msql.patch ---------

__________________________________________________________________________________________


28
類型: 攻擊型
名字: Netscape FastTrack server 2.0.1a
風(fēng)險(xiǎn)等級(jí): 中
描述: UnixWare 7.1附帶的Netscape FastTrack server 2.0.1a存在一個(gè)遠(yuǎn)程緩沖區(qū)溢出漏洞。缺省地,監(jiān)聽457端口的httpd通過http協(xié)議提供UnixWare文檔。如果向該服務(wù)器傳送一個(gè)長度超過367字符的GET請(qǐng)求,會(huì)使緩沖區(qū)溢出,EIP值被覆蓋將可能導(dǎo)致任意代碼以httpd權(quán)限執(zhí)行。
建議: 臨時(shí)解決方法是關(guān)閉Netscape FastTrack服務(wù)器
解決方法: 臨時(shí)解決方法是關(guān)閉Netscape FastTrack服務(wù)器。


_____________________________________________________________________________________

29
類型: 攻擊型
名字: AnyForm.cgi
風(fēng)險(xiǎn)等級(jí): 高
描述: 位于cgi-bin目錄下的AnyForm.cgi程序,是用于簡(jiǎn)單表單通過郵件傳遞響應(yīng)的,但該程序?qū)τ脩糨斎霗z查不徹底,可被入侵者利用,在server上執(zhí)行任何指令.
建議: 建議審核cgi-bin目錄,避免有不必要的程序存在
解決方法: 建議升級(jí)該cgi程序,或者刪除該文件
相關(guān)連接: http://www.securityfocus.com/vdb/bottom.html?section=exploit&vid=719


___________________________________________________________________________________________


30
類型: 攻擊型
名字: whois.cgi
風(fēng)險(xiǎn)等級(jí): 低
描述: 在多個(gè)WebServer中帶有的Whois.cgi存在溢出漏洞。它們包括:
Whois Internic Lookup - version: 1.02
CC Whois - Version: 1.0
Matt's Whois - Version: 1
他們將使入侵者能夠在您的系統(tǒng)上使用啟動(dòng)httpd用戶的權(quán)限執(zhí)行任意的代碼
建議: 將在您Web目錄中問whois.cgi刪除或移走
解決方法: 將在您Web目錄中問whois.cgi刪除或移走

_________________________________________________________________________________
31
類型: 攻擊型
名字: environ.cgi
風(fēng)險(xiǎn)等級(jí): 中
描述: 在Apache web server或者IIS等其它web server的/cgi-bin/environ.cgi 程序,有一個(gè)毛病允許入侵者繞過安全機(jī)制,瀏覽服務(wù)器上的一些文件
建議: 建議審核cgi-bin目錄,避免有不必要的程序存在
解決方法: 建議升級(jí)該cgi程序,或者刪除該文件
相關(guān)連接: 


___________________________________________________________________________________

32
類型: 攻擊型
名字: wrap
風(fēng)險(xiǎn)等級(jí): 中
描述: /cgi-bin/wrap程序有兩個(gè)漏洞,均允許入侵者獲取服務(wù)器上文件的非法訪問,如:
http://host/cgi-bin/wrap?/../../../../../etc
建議: 建議審核cgi-bin目錄,避免有不必要的程序存在
解決方法: 刪除/cgi-bin/wrap文件
相關(guān)連接: http://phoebe.cps.unizar.es/~spd/pub/ls.cgi


________________________________________________________________________________


33
類型: 攻擊型
名字: edit.pl
風(fēng)險(xiǎn)等級(jí): 中
描述: /cgi-bin/edit.pl有一個(gè)安全弱點(diǎn),用下面這條命令就可以訪問用戶的配置情況:
http://www.sitetracker.com/cgi-bin/edit.pl?account=&password=
建議: 建議審核cgi-bin目錄,避免有不必要的程序存在
解決方法: 刪除/cgi-bin/edit.pl文件
相關(guān)連接: http://phoebe.cps.unizar.es/~spd/pub/ls.cgi


________________________________________________________________________________

34
類型: 攻擊型
名字: service.pwd
風(fēng)險(xiǎn)等級(jí): 中
描述: UNix系統(tǒng)的http://www.hostname.com/_vti_pvt/service.pwd可讀,將暴露用戶密碼信息

建議: 建議刪除
解決方法: chown root service.pwd
chmod 700 service.pwd
相關(guān)連接: 

___________________________________________________________________________
35
類型: 攻擊型
名字: administrators.pwd
風(fēng)險(xiǎn)等級(jí): 中
描述: UNix系統(tǒng)的http://www.hostname.com/_vti_pvt/administrators.pwd可讀,將暴露用戶密碼信息

建議: 建議刪除
解決方法: chown root administrators.pwd
chmod 700 administrators.pwd
相關(guān)連接: 


_____________________________________________________________________________

36
類型: 攻擊型
名字: users.pwd
風(fēng)險(xiǎn)等級(jí): 中
描述: UNix系統(tǒng)的http://www.hostname.com/_vti_pvt/users.pwd可讀,將暴露用戶密碼信息

建議: 建議刪除
解決方法: chown root users.pwd
chmod 700 users.pwd
相關(guān)連接: 
_________________________________________________________________________________


37
類型: 攻擊型
名字: authors.pwd
風(fēng)險(xiǎn)等級(jí): 中
描述: UNix系統(tǒng)的http://www.hostname.com/_vti_pvt/authors.pwd可讀,將暴露用戶密碼信息

建議: 建議刪除
解決方法: chown root authors.pwd
chmod 700 authors.pwd
相關(guān)連接:

______________________________________________________________________________

38
類型: 攻擊型
名字: visadmin.exe
風(fēng)險(xiǎn)等級(jí): 中
描述: 在OmniHTTPd Web Server的cgi-bin目錄下存在這個(gè)文件visadmin.exe,那么攻擊者只要輸入下面的命令:
http://omni.server/cgi-bin/visadmin.exe?user=guest
數(shù)分鐘之后服務(wù)器的硬盤將會(huì)被撐滿
建議: 建議刪除
解決方法: 把visadmin.exe從cgi-bin目錄中刪除
相關(guān)連接: 


________________________________________________________________________________

39
類型: 攻擊型
名字: get32.exe
風(fēng)險(xiǎn)等級(jí): 高
描述: Alibaba的web server,其cgi-bin目錄存在get32.exe這個(gè)程序,允許入侵者任意執(zhí)行一條指令:
http://www.victim.com/cgi-bin/get32.exe|echo%20>c:\command.com
建議: 建議刪除
解決方法: 把GET32.exe從cgi-bin目錄中刪除
相關(guān)連接: 

______________________________________________________________________________________

40
類型: 攻擊型
名字: alibaba.pl
風(fēng)險(xiǎn)等級(jí): 高
描述: Alibaba的web server,其cgi-bin目錄存在alibaba.pl這個(gè)程序,允許入侵者任意執(zhí)行一條指令:
http://www.victim.com/cgi-bin/alibaba.pl|dir
建議: 建議刪除
解決方法: 把a(bǔ)libaba.pl從cgi-bin目錄中刪除
相關(guān)連接: 

___________________________________________________________________________________


41
類型: 攻擊型
名字: tst.bat
風(fēng)險(xiǎn)等級(jí): 高
描述: Alibaba的web server,其cgi-bin目錄存在tst.bat這個(gè)程序,允許入侵者任意執(zhí)行一條指令:
http://www.victim.com/cgi-bin/tst.bat|type%20c:\windows\win.ini
建議: 建議刪除
解決方法: 把tst.bat從cgi-bin目錄中刪除
相關(guān)連接:

___________________________________________________________________________________

42
類型: 攻擊型
名字: fpcount.exe
風(fēng)險(xiǎn)等級(jí): 低
描述: 如果您使用NT作為您的WebServer的操作平臺(tái),并只安裝了SP3補(bǔ)丁,那么入侵者能利用這個(gè)CGI程序進(jìn)行DoS攻擊,使您的IIS服務(wù)拒絕訪問
建議: 將在您Web目錄中的fpcount.exe刪除或移走
解決方法: 將在您Web目錄中的fpcount.exe刪除或移走


_________________________________________________________________________________

43
類型: 攻擊型
名字: openfile.cfm
風(fēng)險(xiǎn)等級(jí): 低
描述: 如果在您的Web目錄中含有
/cfdocs/expeval/exprcalc.cfm
/cfdocs/expeval/sendmail.cfm
/cfdocs/expeval/eval.cfm
/cfdocs/expeval/openfile.cfm
/cfdocs/expeval/displayopenedfile.cfm
/cfdocs/exampleapp/email/getfile.cfm
/cfdocs/exampleapp/publish/admin/addcontent.cfm
這些文件,那么入侵者可能能夠利用它們讀到您系統(tǒng)上的所有文件
建議: 將在您Web目錄中的openfile.cfm刪除或移走
解決方法: 將在您Web目錄中的openfile.cfm刪除或移走


_______________________________________________________________________________________


44
類型: 攻擊型
名字: exprcalc.cfm
風(fēng)險(xiǎn)等級(jí): 低
描述: 如果在您的Web目錄中含有
/cfdocs/expeval/exprcalc.cfm
/cfdocs/expeval/sendmail.cfm
/cfdocs/expeval/eval.cfm
/cfdocs/expeval/openfile.cfm
/cfdocs/expeval/displayopenedfile.cfm
/cfdocs/exampleapp/email/getfile.cfm
/cfdocs/exampleapp/publish/admin/addcontent.cfm
這些文件,那么入侵者可能能夠利用它們讀到您系統(tǒng)上的所有文件
建議: 將在您Web目錄中的exprcalc.cfm刪除或移走
解決方法: 將在您Web目錄中的exprcalc.cfm刪除或移走
相關(guān)連接: http://www.allaire.com/handlers/index.cfm?ID=8727&Method=Full


______________________________________________________________________________

45
類型: 攻擊型
名字: displayopenedfile.cfm
風(fēng)險(xiǎn)等級(jí): 低
描述: 如果在您的Web目錄中含有
/cfdocs/expeval/exprcalc.cfm
/cfdocs/expeval/sendmail.cfm
/cfdocs/expeval/eval.cfm
/cfdocs/expeval/openfile.cfm
/cfdocs/expeval/displayopenedfile.cfm
/cfdocs/exampleapp/email/getfile.cfm
/cfdocs/exampleapp/publish/admin/addcontent.cfm
這些文件,那么入侵者可能能夠利用它們讀到您系統(tǒng)上的所有文件
建議: 將在您Web目錄中的displayopenedfile.cfm刪除或移走
解決方法: 將在您Web目錄中的displayopenedfile.cfm刪除或移走
相關(guān)連接: http://www.allaire.com/handlers/index.cfm?ID=8727&Method=Full


_______________________________________________________________________________

46
類型: 攻擊型
名字: sendmail.cfm
風(fēng)險(xiǎn)等級(jí): 中
描述: 將在您Web目錄中的openfile.cfm刪除或移走

在多個(gè)WebServer中帶有的Whois.cgi存在溢出漏洞。它們包括:
Whois Internic Lookup - version:

1.02
CC Whois - Version: 1.0
Matt's Whois - Version: 1
他們將使入侵者

能夠在您的系統(tǒng)上使用啟動(dòng)httpd用戶的權(quán)限執(zhí)行任意的代碼



如果在您的Web目錄中含有
/cfdocs/expeval/exprcalc.cfm
/cfdocs/expeval/sendmail.cfm
/cfdocs/expeval/eval.cfm
/cfdocs/expeval/openfile.cfm
/cfdocs/expeval/displayopenedfile.cfm
/cfdocs/exampleapp/email/getfile.cfm
/cfdocs/exampleapp/publish/admin/addcontent.cfm
這些文件,那么入侵者可能能夠利用它們讀到您系統(tǒng)上的所有文件
建議: 將在您Web目錄中的sendmail.cfm刪除或移走
解決方法: 將在您Web目錄中的sendmail.cfm刪除或移走
相關(guān)連接: http://www.allaire.com/handlers/index.cfm?ID=8727&Method=Full


_________________________________________________________________________________

47
類型: 攻擊型
名字: codebrws.asp
風(fēng)險(xiǎn)等級(jí): 中
描述: 如果您使用NT+IIS作為您的WebServer的情況下,入侵者能夠利用這個(gè)ASP查看您系統(tǒng)上所有啟動(dòng)httpd用戶有權(quán)限閱讀的文件
請(qǐng)前往以下地址查詢補(bǔ)丁
Internet Information Server:
ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/Viewcode-fix/
Site Server:
ftp://ftp.microsoft.com/bussys/sitesrv/sitesrv-public/fixes/usa/siteserver3/hotfixes-postsp2/Viewcode-fix/
http://www.microsoft.com/security/products/iis/checklist.asp
建議: 將在您Web目錄中的codebrws.asp刪除或移走
解決方法: 將在您Web目錄中的codebrws.asp刪除或移走


_____________________________________________________________________________________


48
類型: 信息型
名字: codebrws.asp_1
風(fēng)險(xiǎn)等級(jí): 中
描述: 在/iissamples/exair/howitworks/下面存在codebrws.asp文件,用下面的路徑:
http://www.xxx.com/iissamples/exair/howitworks/codebrws.asp?source=/index.asp就可以查看到index.asp的源碼。實(shí)際上任何ascii文件都可以瀏覽。

建議: 刪除名叫/iissamples/的web目錄
解決方法: 將在您Web目錄中的codebrws.asp刪除或移走
請(qǐng)前往以下地址查詢補(bǔ)丁
Internet Information Server:
ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/Viewcode-fix/
Site Server:
ftp://ftp.microsoft.com/bussys/sitesrv/sitesrv-public/fixes/usa/siteserver3/hotfixes-postsp2/Viewcode-fix/
http://www.microsoft.com/security/products/iis/checklist.asp
相關(guān)連接: ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/Viewcode-fix/


_________________________________________________________________________________
49
類型: 攻擊型
名字: showcode.asp_1
風(fēng)險(xiǎn)等級(jí): 中
描述: 在/msads/Samples/SELECTOR/目錄下存在showcode.asp文件,用下面的路徑:
http://www.xxx.com/msadc/Samples/SELECTOR/showcode.asp?source=/msadc/Samples/../../../../../boot.ini
可以查到boot.ini文件的內(nèi)容;實(shí)際上入侵者能夠利用這個(gè)ASP查看您系統(tǒng)上所有啟動(dòng)httpd用戶有權(quán)限閱讀的文件

建議: 禁止對(duì)/msads目錄的匿名訪問
解決方法: 將在您Web目錄中的showcode.asp刪除或移走
請(qǐng)前往以下地址查詢補(bǔ)丁
Internet Information Server:
ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/Viewcode-fix/
Site Server:
ftp://ftp.microsoft.com/bussys/sitesrv/sitesrv-public/fixes/usa/siteserver3/hotfixes-postsp2/Viewcode-fix/
http://www.microsoft.com/security/products/iis/checklist.asp
相關(guān)連接: ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/Viewcode-fix/

_________________________________________________________________________________

50
類型: 攻擊型
名字: /msadc目錄可以訪問
風(fēng)險(xiǎn)等級(jí): 中
描述: WindowsNT IIS server下的 /msadc目錄可以訪問,會(huì)造成一系列安全問題,包括被入侵者非法調(diào)用應(yīng)用程序
建議: 建議刪除不必要的由IIS缺省安裝形成的目錄
解決方法: 禁止/msadc目錄,如果必須打開該目錄,至少應(yīng)該設(shè)置成合法用戶需要密碼才能訪問



Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Hot AI Tools

Undress AI Tool

Undress AI Tool

Undress images for free

Undresser.AI Undress

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

AI Clothes Remover

Online AI tool for removing clothes from photos.

Clothoff.io

Clothoff.io

AI clothes remover

Video Face Swap

Video Face Swap

Swap faces in any video effortlessly with our completely free AI face swap tool!

Hot Tools

Notepad++7.3.1

Notepad++7.3.1

Easy-to-use and free code editor

SublimeText3 Chinese version

SublimeText3 Chinese version

Chinese version, very easy to use

Zend Studio 13.0.1

Zend Studio 13.0.1

Powerful PHP integrated development environment

Dreamweaver CS6

Dreamweaver CS6

Visual web development tools

SublimeText3 Mac version

SublimeText3 Mac version

God-level code editing software (SublimeText3)

What are web standards? What are web standards? Oct 18, 2023 pm 05:24 PM

Web standards are a set of specifications and guidelines developed by W3C and other related organizations. It includes standardization of HTML, CSS, JavaScript, DOM, Web accessibility and performance optimization. By following these standards, the compatibility of pages can be improved. , accessibility, maintainability and performance. The goal of web standards is to enable web content to be displayed and interacted consistently on different platforms, browsers and devices, providing better user experience and development efficiency.

PHP and CGI file upload and download technology: how to implement file management functions PHP and CGI file upload and download technology: how to implement file management functions Jul 21, 2023 am 11:19 AM

File upload and download technology with PHP and CGI: How to implement file management functions Introduction: File upload and download are one of the common functions in modern web applications. This article will introduce how to implement file upload and download functions using PHP and CGI programming languages, and show some code examples to demonstrate how to manage uploaded and downloaded files. Here’s what we’re going to cover: Basic concepts of file upload using PHP to implement file upload CGI to implement file upload Basic concepts of file download using PHP to implement file download CGI implementation under the file

what does web mean what does web mean Jan 09, 2024 pm 04:50 PM

The web is a global wide area network, also known as the World Wide Web, which is an application form of the Internet. The Web is an information system based on hypertext and hypermedia, which allows users to browse and obtain information by jumping between different web pages through hyperlinks. The basis of the Web is the Internet, which uses unified and standardized protocols and languages ??to enable data exchange and information sharing between different computers.

How to implement form validation for web applications using Golang How to implement form validation for web applications using Golang Jun 24, 2023 am 09:08 AM

Form validation is a very important link in web application development. It can check the validity of the data before submitting the form data to avoid security vulnerabilities and data errors in the application. Form validation for web applications can be easily implemented using Golang. This article will introduce how to use Golang to implement form validation for web applications. 1. Basic elements of form validation Before introducing how to implement form validation, we need to know what the basic elements of form validation are. Form elements: form elements are

How to use PHP and CGI to implement user registration and login functions How to use PHP and CGI to implement user registration and login functions Jul 21, 2023 pm 02:31 PM

How to use PHP and CGI to implement user registration and login functions User registration and login are one of the necessary functions for many websites. In this article, we will introduce how to use PHP and CGI to achieve these two functions. We'll demonstrate the entire process with a code example. 1. Implementation of the user registration function The user registration function allows new users to create an account and save their information to the database. The following is a code example to implement the user registration function: Create a database table First, we need to create a database table to store user information. Can

Golang learning form validation practice for web applications Golang learning form validation practice for web applications Jun 24, 2023 pm 03:07 PM

In web development, form validation is an extremely critical part. Form verification can effectively protect data security and prevent attacks and malicious operations by illegal users. In Golang, form validation technology is also widely used, especially in web applications. This article will introduce the practice of form validation for web applications in Golang. 1. Basic Principles of Form Validation In web applications, the basic principle of form validation is to check and verify data before submitting data on the web page. This data may be user

Golang learning database design practice for web applications Golang learning database design practice for web applications Jun 24, 2023 am 10:33 AM

Golang is a programming language developed by Google. Its simplicity of use, superior performance, and cross-platform features make it increasingly popular in modern web application development. In web application development, database design is a very important part. In this article, we will introduce how to practice database design when developing web applications using Golang. Choosing a database First, we need to choose a suitable database. Golang supports a variety of databases, such as MySQL, Po

How to enable administrative access from the cockpit web UI How to enable administrative access from the cockpit web UI Mar 20, 2024 pm 06:56 PM

Cockpit is a web-based graphical interface for Linux servers. It is mainly intended to make managing Linux servers easier for new/expert users. In this article, we will discuss Cockpit access modes and how to switch administrative access to Cockpit from CockpitWebUI. Content Topics: Cockpit Entry Modes Finding the Current Cockpit Access Mode Enable Administrative Access for Cockpit from CockpitWebUI Disabling Administrative Access for Cockpit from CockpitWebUI Conclusion Cockpit Entry Modes The cockpit has two access modes: Restricted Access: This is the default for the cockpit access mode. In this access mode you cannot access the web user from the cockpit

See all articles