Bug: NIM092795: ArcGIS for Server allows the upload of executable files
【相关信息】
Article ID: 41497
Bug Id: NIM092795
Software:
ArcGIS for Server 10.1, 10.2
Platforms:
Windows Server 2003, Server 2012, Server 2008 R2
RHEL 5, 6
【BUG描述】
ArcGIS for Server allows the upload of executable files. To upload an executable file, the user must be a publisher or administrator of ArcGIS for Server.
An individual or entity with malicious intent could upload .exe files to the ArcGIS for Server machine if they managed to get publisher or administrator access to ArcGIS for Server.
CVE Reference
CVE-2013-5221 Inadequate filtering of mobile uploads
Vector:AV:N/AC:M/Au:S/C:P/I:P/A:P Base Score: 6
This vulnerability may be viewed as a standard entry in the
Common Vulnerabilities and Exposures list.
Acknowledgements
Esri thanks the following for working with us to help protect customers:
Roberto Suggi Liverani of NCIA-NCIRC for reporting this vulnerability.
【BUG原因】
ArcGIS for Server was not checking one area of the software to ensure that only allowed file types were being uploaded.
Article ID: 41497
Bug Id: NIM092795
Software:
ArcGIS for Server 10.1, 10.2
Platforms:
Windows Server 2003, Server 2012, Server 2008 R2
RHEL 5, 6
【BUG描述】
ArcGIS for Server allows the upload of executable files. To upload an executable file, the user must be a publisher or administrator of ArcGIS for Server.
An individual or entity with malicious intent could upload .exe files to the ArcGIS for Server machine if they managed to get publisher or administrator access to ArcGIS for Server.
CVE Reference
CVE-2013-5221 Inadequate filtering of mobile uploads
Vector:AV:N/AC:M/Au:S/C:P/I:P/A:P Base Score: 6
This vulnerability may be viewed as a standard entry in the
Common Vulnerabilities and Exposures list.
Acknowledgements
Esri thanks the following for working with us to help protect customers:
Roberto Suggi Liverani of NCIA-NCIRC for reporting this vulnerability.
【BUG原因】
ArcGIS for Server was not checking one area of the software to ensure that only allowed file types were being uploaded.
1 个回复
EsriSupport
赞同来自:
Esri has released two patches that address security vulnerabilities that affect ArcGIS 10.1 SP1 for Server and ArcGIS 10.2 for Server. Esri recommends that ArcGIS Server customers apply the appropriate patch:
ArcGIS 10.1 SP1 for Server Security Patch
ArcGIS 10.2 for Server Security Patch
【创建及修改时间】
Created: 8/9/2013
Last Modified: 9/20/2013
【原文链接】
http://support.esri.com/en/kno ... 41497
要回复问题请先登录或注册