Microsoft VFP_OLE_Server ActiveX控件远程命令执行漏洞

2008-01-11T00:00:00
ID SSV:2807
Type seebug
Reporter Root
Modified 2008-01-11T00:00:00

Description

Microsoft Visual FoxPro是一款数据库管理和应用软件开发系统。 Microsoft VFP_OLE_Server ActiveX控件存在设计问题,远程攻击者可以利用漏洞以应用程序进程权限执行任意命令。 问题是Microsoft VFP_OLE_Server控件不安全使用"foxcommand()"函数,直接传递运行应用程序作为参数,可导致应用程序权限执行。

Microsoft VFP_OLE_Server ActiveX Control 0 + Microsoft Internet Explorer 6.0 + Microsoft Internet Explorer 5.5 SP2 + Microsoft Internet Explorer 5.5 SP1 + Microsoft Internet Explorer 5.5 preview + Microsoft Internet Explorer 5.5 + Microsoft Internet Explorer 5.0.1 SP2 + Microsoft Internet Explorer 5.0.1 SP1 + Microsoft Internet Explorer 5.0.1 for Windows NT 4.0 + Microsoft Internet Explorer 5.0.1 for Windows 98 + Microsoft Internet Explorer 5.0.1 for Windows 95 + Microsoft Internet Explorer 5.0.1 for Windows 2000 + Microsoft Internet Explorer 5.0.1 + Microsoft Internet Explorer 5.0 for Windows NT 4.0 + Microsoft Internet Explorer 5.0 for Windows 98 + Microsoft Internet Explorer 5.0 for Windows 95 + Microsoft Internet Explorer 5.0 for Windows 2000 + Microsoft Internet Explorer 5.0

厂商解决方案 目前没有解决方案提供: <a href=http://msdn.microsoft.com/vfoxpro/ target=_blank>http://msdn.microsoft.com/vfoxpro/</a>

                                        
                                            
                                                -----------------------------------------------------------------------------
&nbsp;Microsoft&nbsp;VFP_OLE_Server&nbsp;Remote&nbsp;Command&nbsp;Execution
&nbsp;url:&nbsp;http://www.microsoft.com
&nbsp;Author:&nbsp;shinnai