首页焦点原创安全文摘安全工具安全漏洞焦点项目焦点论坛关于我们

English Version

最近严重漏洞

Microsoft RPC接口远程任意代码可执行漏洞

Cisco IOS接口不正确处理IPV4包远程拒绝服务漏洞

Microsoft Windows CreateFile API命名管道权限提升漏洞

Red Hat Interchange任意文件可读漏洞

发布时间：2002-08-21
更新时间：2002-08-21
严重程度：高
威胁程度：远程非授权文件存取
错误类型：输入验证错误
利用方式：服务器模式

BUGTRAQ ID：5453

受影响系统

RedHat Interchange 4.8.1
RedHat Interchange 4.8.2
RedHat Interchange 4.8.3
+ Debian Linux 3.0
RedHat Interchange 4.8.4
RedHat Interchange 4.8.5

详细描述
Interchange 4.8.5和之前的版本存在漏洞，可使Interchange泄露文件内容给攻击者。

Interchange是电子商务HTTP数据库显示系统，当Interchange在"INET
mode" (internet domain socket)模式下运行的时候，会安装<INTERCHANGE_ROOT>/doc文件夹，这个文件夹默认包含Interchange手册页面，问题可能是Interchange守护程序对HTTP请求中的'../'字符缺少正确过滤，可用来目录遍历查看系统上任意文件内容。

测试代码
http://www.domain.com:7786/../../../../../../../../../etc/passwd

解决方案
把<INTERCHANGE_ROOT>/doc移动到其他安全的位置。

升级程序下载：

RedHat Interchange 4.8.1:

RedHat Upgrade interchange-4.8.6-1.i386.rpm
http://ftp.interchange.redhat.com/interchange/4.8/rpm/interchange-4.8.6-1.i386.rpm

RedHat Upgrade interchange-foundation-4.8.6-1.i386.rpm
http://ftp.interchange.redhat.com/interchange/4.8/rpm/interchange-foundation-4.8.6-1.i386.rpm

RedHat Upgrade interchange-foundation-demo-4.8.6-1.i386.rpm
http://ftp.interchange.redhat.com/interchange/4.8/rpm/interchange-foundation-demo-4.8.6-1.i386.rpm

RedHat Interchange 4.8.2:

RedHat Upgrade interchange-4.8.6-1.i386.rpm
http://ftp.interchange.redhat.com/interchange/4.8/rpm/interchange-4.8.6-1.i386.rpm

RedHat Upgrade interchange-foundation-4.8.6-1.i386.rpm
http://ftp.interchange.redhat.com/interchange/4.8/rpm/interchange-foundation-4.8.6-1.i386.rpm

RedHat Upgrade interchange-foundation-demo-4.8.6-1.i386.rpm
http://ftp.interchange.redhat.com/interchange/4.8/rpm/interchange-foundation-demo-4.8.6-1.i386.rpm

RedHat Interchange 4.8.3:

RedHat Upgrade interchange-4.8.6-1.i386.rpm
http://ftp.interchange.redhat.com/interchange/4.8/rpm/interchange-4.8.6-1.i386.rpm

RedHat Upgrade interchange-foundation-4.8.6-1.i386.rpm
http://ftp.interchange.redhat.com/interchange/4.8/rpm/interchange-foundation-4.8.6-1.i386.rpm

Debian Upgrade libapache-mod-interchange_4.8.3.20020306-1.woody.1_alpha.deb
http://security.debian.org/pool/updates/main/i/interchange/libapache-mod-interchange_4.8.3.20020306-1.woody.1_alpha.deb

RedHat Upgrade interchange-foundation-demo-4.8.6-1.i386.rpm
http://ftp.interchange.redhat.com/interchange/4.8/rpm/interchange-foundation-demo-4.8.6-1.i386.rpm

Debian Upgrade interchange-cat-foundation_4.8.3.20020306-1.woody.1_all.deb
http://security.debian.org/pool/updates/main/i/interchange/interchange-cat-foundation_4.8.3.20020306-1.woody.1_all.deb

Debian Upgrade interchange-ui_4.8.3.20020306-1.woody.1_all.deb
http://security.debian.org/pool/updates/main/i/interchange/interchange-ui_4.8.3.20020306-1.woody.1_all.deb

Debian Upgrade interchange_4.8.3.20020306-1.woody.1_alpha.deb
http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306-1.woody.1_alpha.deb

Debian Upgrade interchange_4.8.3.20020306-1.woody.1_arm.deb
http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306-1.woody.1_arm.deb

Debian Upgrade interchange_4.8.3.20020306-1.woody.1_hppa.deb
http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306-1.woody.1_hppa.deb

Debian Upgrade interchange_4.8.3.20020306-1.woody.1_i386.deb
http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306-1.woody.1_i386.deb

Debian Upgrade interchange_4.8.3.20020306-1.woody.1_ia64.deb
http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306-1.woody.1_ia64.deb

Debian Upgrade interchange_4.8.3.20020306-1.woody.1_m68k.deb
http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306-1.woody.1_m68k.deb

Debian Upgrade interchange_4.8.3.20020306-1.woody.1_mips.deb
http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306-1.woody.1_mips.deb

Debian Upgrade interchange_4.8.3.20020306-1.woody.1_mipsel.deb
http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306-1.woody.1_mipsel.deb

Debian Upgrade interchange_4.8.3.20020306-1.woody.1_powerpc.deb
http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306-1.woody.1_powerpc.deb

Debian Upgrade interchange_4.8.3.20020306-1.woody.1_s390.deb
http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306-1.woody.1_s390.deb

Debian Upgrade interchange_4.8.3.20020306-1.woody.1_sparc.deb
http://security.debian.org/pool/updates/main/i/interchange/interchange_4.8.3.20020306-1.woody.1_sparc.deb

Debian Upgrade libapache-mod-interchange_4.8.3.20020306-1.woody.1_arm.deb
http://security.debian.org/pool/updates/main/i/interchange/libapache-mod-interchange_4.8.3.20020306-1.woody.1_arm.deb

Debian Upgrade libapache-mod-interchange_4.8.3.20020306-1.woody.1_hppa.deb
http://security.debian.org/pool/updates/main/i/interchange/libapache-mod-interchange_4.8.3.20020306-1.woody.1_hppa.deb

Debian Upgrade libapache-mod-interchange_4.8.3.20020306-1.woody.1_i386.deb
http://security.debian.org/pool/updates/main/i/interchange/libapache-mod-interchange_4.8.3.20020306-1.woody.1_i386.deb

Debian Upgrade libapache-mod-interchange_4.8.3.20020306-1.woody.1_ia64.deb
http://security.debian.org/pool/updates/main/i/interchange/libapache-mod-interchange_4.8.3.20020306-1.woody.1_ia64.deb

Debian Upgrade libapache-mod-interchange_4.8.3.20020306-1.woody.1_m68k.deb
http://security.debian.org/pool/updates/main/i/interchange/libapache-mod-interchange_4.8.3.20020306-1.woody.1_m68k.deb

Debian Upgrade libapache-mod-interchange_4.8.3.20020306-1.woody.1_mips.deb
http://security.debian.org/pool/updates/main/i/interchange/libapache-mod-interchange_4.8.3.20020306-1.woody.1_mips.deb

Debian Upgrade libapache-mod-interchange_4.8.3.20020306-1.woody.1_mipsel.deb
http://security.debian.org/pool/updates/main/i/interchange/libapache-mod-interchange_4.8.3.20020306-1.woody.1_mipsel.deb

Debian Upgrade libapache-mod-interchange_4.8.3.20020306-1.woody.1_powerpc.deb
http://security.debian.org/pool/updates/main/i/interchange/libapache-mod-interchange_4.8.3.20020306-1.woody.1_powerpc.deb

Debian Upgrade libapache-mod-interchange_4.8.3.20020306-1.woody.1_s390.deb
http://security.debian.org/pool/updates/main/i/interchange/libapache-mod-interchange_4.8.3.20020306-1.woody.1_s390.deb

Debian Upgrade libapache-mod-interchange_4.8.3.20020306-1.woody.1_sparc.deb
http://security.debian.org/pool/updates/main/i/interchange/libapache-mod-interchange_4.8.3.20020306-1.woody.1_sparc.deb

RedHat Interchange 4.8.4:

RedHat Upgrade interchange-4.8.6-1.i386.rpm
http://ftp.interchange.redhat.com/interchange/4.8/rpm/interchange-4.8.6-1.i386.rpm

RedHat Upgrade interchange-foundation-4.8.6-1.i386.rpm
http://ftp.interchange.redhat.com/interchange/4.8/rpm/interchange-foundation-4.8.6-1.i386.rpm

RedHat Upgrade interchange-foundation-demo-4.8.6-1.i386.rpm
http://ftp.interchange.redhat.com/interchange/4.8/rpm/interchange-foundation-demo-4.8.6-1.i386.rpm

RedHat Interchange 4.8.5:

RedHat Upgrade interchange-4.8.6-1.i386.rpm
http://ftp.interchange.redhat.com/interchange/4.8/rpm/interchange-4.8.6-1.i386.rpm

RedHat Upgrade interchange-foundation-4.8.6-1.i386.rpm
http://ftp.interchange.redhat.com/interchange/4.8/rpm/interchange-foundation-4.8.6-1.i386.rpm

RedHat Upgrade interchange-foundation-demo-4.8.6-1.i386.rpm
http://ftp.interchange.redhat.com/interchange/4.8/rpm/interchange-foundation-demo-4.8.6-1.i386.rpm

相关信息
product changelog.
参考：http://online.securityfocus.com/advisories/4380
http://www.icdevgroup.org/pipermail/interchange-users/2002-August/024350.html
相关主页：http://interchange.redhat.com/