Professional Documents
Culture Documents
MSSV: 22162047
You will compose a lab report that documents each step you take, including screenshots to illustrate the
effects of commands you type, and describing your observations. Simply attaching code without any
explanation will not receive credits
Network Topology:
Sv chọn khoảng 5 lỗ hổng có mã CVE, tìm hiểu và giải thích lỗ hổng đó, ghi trong báo cáo.
- CVE-2010-3773:
o Description: Mozilla Firefox before 3.5.16 and 3.6.x before 3.6.13, and SeaMonkey
before 2.0.11, when the XMLHttpRequestSpy module in the Firebug add-on is used,
does not properly handle interaction between the XMLHttpRequestSpy object and
chrome privileged objects, which allows remote attackers to execute arbitrary
JavaScript via a crafted HTTP response. NOTE: this vulnerability exists because of an
incomplete fix for CVE-2010-0179.
o Summary: This vulnerability allows remote attackers to initiate remote processes,
read arbitrary local files, and establish network connections through vectors related
to the refresh value in the http-equiv attribute of a META element, leading to the
misuse of security principles.
- CVE-2010-1197:
o Description: Mozilla Firefox 3.5.x before 3.5.10 and 3.6.x before 3.6.4, and
SeaMonkey before 2.0.5, does not properly handle situations in which both
"Content-Disposition: attachment" and "Content-Type: multipart" are present in
HTTP headers, which allows remote attackers to conduct cross-site scripting (XSS)
attacks via an uploaded HTML document.
o Summary: This vulnerability occurs when using the XMLHttpRequestSpy module in
the Firebug utility and mishandles interactions between the XMLHttpRequestSpy
object and objects with chrome privileges. This allows remote attacks to execute
arbitrary JavaScript code through HTTP responses, creating an opportunity for
exploitation.
- CVE-2010-3775:
o Description: Mozilla Firefox before 3.5.16 and 3.6.x before 3.6.13, and SeaMonkey
before 2.0.11, does not properly handle certain redirections involving data: URLs
and Java LiveConnect scripts, which allows remote attackers to start processes, read
arbitrary local files, and establish network connections via vectors involving a
refresh value in the http-equiv attribute of a META element, which causes the
wrong security principal to be used.
o Summary: A concise summary of the vulnerability, particularly highlighting the
impacts and consequences it may have on the affected system or application.
- CVE-2002-2246:
o Description: Cross-site scripting (XSS) vulnerability in VisNetic Website before 3.5.15
allows remote attackers to inject arbitrary web script or HTML via the HTTP referer
header (HTTP_REFERER) to a non-existent page, which is injected into the resulting
404 error page.
o Summary: This vulnerability allows remote attackers to inject arbitrary web or HTML
script via the HTTP_REFERER header.
- CVE-2002-2241:
o Description: Buffer overflow in httpd32.exe in Deerfield VisNetic WebSite before
3.5.15 allows remote attackers to cause a denial of service (crash) via a long HTTP
OPTIONS request.
o Summary: This vulnerability allows remote attacks to cause a service crash.
3. (3,0 đ) Khai thác lỗ hổng
- Sử dụng metaploit để truy cập vào các máy với các lỗ hổng remote.
o Màn hình máy mục tiêu
o Trên máy chủ