首页 -> 安全研究
安全研究
安全漏洞
NAI PGP Keyserver Web管理接口验证可绕过漏洞
发布日期:2001-09-28
更新日期:2002-09-28
受影响系统:
Network Associates PGP Keyserver 7.0描述:
Network Associates PGP Keyserver 7.0.1
- Microsoft Windows NT 4.0 SP6a
- Microsoft Windows NT 4.0 SP6
- Microsoft Windows NT 4.0 SP5
- Microsoft Windows NT 4.0 SP4
- Microsoft Windows NT 4.0 SP3
- Microsoft Windows NT 4.0 SP2
- Microsoft Windows NT 4.0 SP1
- Microsoft Windows NT 4.0
- Microsoft Windows 2000 Server SP2
- Microsoft Windows 2000 Server SP1
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Datacenter Server SP2
- Microsoft Windows 2000 Datacenter Server SP1
- Microsoft Windows 2000 Datacenter Server
- Microsoft Windows 2000 Advanced Server SP2
- Microsoft Windows 2000 Advanced Server SP1
- Microsoft Windows 2000 Advanced Server
- Sun Solaris 8.0
- Sun Solaris 7.0
- Sun Solaris 2.6
BUGTRAQ ID: 3375
PGP Keyserver是Network Associates的一个商业加密软件包,作为PGP公钥管理系统,提供LDAP特性。
PGP Keyserver存在一个漏洞,远程攻击者可以获得Web管理接口的管理权限。Web接口的管理员一般执行命令是通过如下链接:
http://www.example.com/keyserver/cgi-bin/console.exe?page_size=...
http://www.example.com/keyserver/cgi-bin/cs.exe?action=...
但是远程用户可以无需验证直接访问这些链接执行命令。恶意用户可以利用这个漏洞替换PGP Keyserver上的PGP密钥、获得系统的一些敏感信息以及对系统的合法用户进行拒绝服务攻击。
<*来源:Nobuo Miwa (snsadv@lac.co.jp)
链接:http://archives.neohapsis.com/archives/bugtraq/2001-09/0230.html
*>
建议:
临时解决方法:
如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:
* NAI提供了一个临时解决方法,参见http://www.pgp.com/support/product-advisories/keyserver.asp
------------------------------------------------
# NT版本修改
------------------------------------------------
1) 找到httpd.conf文件(默认安装在 C:\Program Files\Network Associates\PGP Keyserver\Web\conf)如下小节:
#
# "C:/Program Files/Network Associates/PGP Keyserver/Web/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#
<Directory "C:/Program Files/Network Associates/PGP Keyserver/Web/cgi-bin">
AllowOverride None
Options None
</Directory>
2) 改变成如下:
#
# "C:/Program Files/Network Associates/PGP Keyserver/Web/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#
<Directory "C:/Program Files/Network Associates/PGP Keyserver/Web/cgi-bin">
AllowOverride None
Options None
<Files ~ "(console|cs|multi_config|directory)\.(pl|exe)">
Order allow,deny
require valid-user
AuthType Basic
AuthName "PGP Keyserver Administration"
AuthUserFile "C:/Program Files/Network Associates/PGP Keyserver/Web/.allowed-admin"
</Files>
</Directory>
3) 重启Web服务器。
------------------------------------------------
SOLARIS版本修改
------------------------------------------------
1) 找到Solaris版本的httpd.conf文件 (默认安装在 /opt/PGPkeysrv/web/conf) 如下小节:
ScriptAlias /keyserver/cgi-bin/ "/opt/PGPkeysrv/web/cgi-bin/"
2) 在后面添加:
<Directory /keyserver/cgi-bin>
AllowOverride None
Options None
<Files ~ "(console|cs|multi_config|directory)\.(pl|exe)">
Order allow,deny
require valid-user
AuthType Basic
AuthName "protected area"
AuthUserFile /opt/PGPkeysrv/web/.allowed-admin
</Files>
</Directory>
3) 限制只能从192.168.3网段地址才能访问:
<Location />
AllowOverride None
Options None
require valid-user
AuthType Basic
AuthName "protected area"
AuthUserFile /opt/PGPkeysrv/web/.allowed-admin
# The default installation requires a login but is otherwise allowed
# from the world. To adjust this policy, read the apache documentation available
# at http://www.apache.org, and remove or comment these lines:
# Order allow,deny
# allow from all
# and uncomment these lines:
Order deny,allow
Deny from all
# and use some variations of some of these lines.
# allow from a particular IP:
# allow from 192.168.3.4
# allow from a particular network:
allow from 192.168.3
# allow from a hostname:
# allow from fredsmachine.yourdomain.com
# allow from your entire domain:
# allow from .yourdomain.com
# allow from your subdomain:
# allow from .infotech.yourdomain.com
</Location>
4) 添加必要的限制:
<Location ~ "/keyserver/cgi-bin/(console|cs|multi_config)\.(pl|exe)">
Order allow,deny
Allow from all
require valid-user
AuthType Basic
AuthName "PGP Keyserver Administration"
AuthUserFile "/opt/PGPkeysrv/web/.allowed-admin"
</Location>
<Location ~ "/keyserver/cgi-bin/directory\.(pl|exe)">
# use these lines for open access to directory utility.
# Order allow,deny
# Allow from all
# use these lines for closing access to directory utility:
Order deny,allow
Deny from all
# Use the model above or the Apache docs to add IP or domain-based restrictions.
allow from 192.168.3.4
</Location>
Web服务器必须重启。
厂商补丁:
Network Associates
------------------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.pgp.com
浏览次数:4019
严重程度:0(网友投票)
绿盟科技给您安全的保障