WWWguestbook Discloses Database to Remote Users
|
|
SecurityTracker Alert ID: 1011026 |
|
SecurityTracker URL: http://securitytracker.com/id/1011026
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Aug 23 2004
|
Impact:
Disclosure of authentication information, Disclosure of system information, Disclosure of user information, User access via network
|
Exploit Included: Yes
|
Version(s): 1.1
|
Description:
Security .Net Information reported a vulnerability in WWWguestbook. A remote user can download the database.
It is reported that a remote user can supply the following type of URL to directly download the guestbook database:
http://[target]/path_of_guestbook/db/dbase.mdb
The database reportedly includes the administrator's username and password.
|
Impact:
A remote user can download the database, which includes the administrator's username and password.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: www.abczone.it/ (Links to External Site)
|
Cause:
Access control error
|
Underlying OS:
Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Sat, 21 Aug 2004 00:57:10 -0300
Subject: WWWguestbook Discloses Database to Remote Users
|
Security .Net Information Advisore:
WWWguestbook Discloses Database to Remote Users.
A remote user can download the news database containing user and
passwd for admin.
Passwd and user admin has not encrypted =) remote user can gain admin access.
Example:
http://www.target.com/path_of_guestbook/db/dbase.mdb
Vendor Contacted: not yet..lol
Greetz: friends of #reflux (irc.oceanius.com) and #private (irc.unityirc.net)
--
radiarx.oceanius.com #sni-labs #reflux
Security .Net Information
|
|
