BSCW默认安装不安全漏洞

https://www.exploit-db.com/exploits/21197
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200203-071

BSCW(BasicSupportforCooperativeWork)是一款基于WEB的应用组件程序，允许用户通过WEB接口共享工作平台，运行在MicrosoftWindowsNT/2000系统上，也可运行在Linux和Unix系统平台上。BSCW的默认安装允许用户自注册，其中存在漏洞允许未信任用户可访问服务。BSCW默认配置允许用户自注册，此功能在管理员作为第一个注册用户后起用，自注册一般可以通过如下方法访问：http://your.bscwserver.url/pub/english.cgi?op=rmail而这个可以随意注册的功能就可以导致任何用户访问BSCW的服务，这样就可能利用其他漏洞对系统进一步攻击，如可以根据"BSCW命令执行漏洞"来以httpd权限执行任意命令。

source: http://www.securityfocus.com/bid/3777/info

BSCW (Basic Support for Cooperative Work) is a web-based groupware application, allowing users to share a workspace via a web interface. It runs on Microsoft Windows NT/2000 systems, as well as a number of Unix variants.

The default installation allows users to self-register, potentially allowing untrusted users to access the service.

This may provide a window of opportunity for an untrusted, malicious user to access the service to exploit known issues. One example of an existing issue that may be exploited as a result of untrusted users being able to self-register is BugTraq ID 3776 "BSCW Remote Command Execution Vulnerability". 

http://your.bscwserver.url/pub/english.cgi?op=rmail

来源:BID
名称:3777
链接:http://www.securityfocus.com/bid/3777
来源:BUGTRAQ
名称:20020102BSCW:VulnerabilitiesandProblems
链接:http://www.securityfocus.com/archive/1/248000
来源:XF
名称:bscw-default-installation-registration(7775)
链接:http://www.iss.net/security_center/static/7775.php