Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   vRating Vendors:
vRating Discloses Sensitive Information and Grants Administrative Access to Remote Users
SecurityTracker Alert ID:  1010951
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 13 2004
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, User access via network
Exploit Included:  Yes  
Version(s): 4.0, 4.01
Description:   Security .Net Information (snilabs) reported some vulnerabilities in vRating. A remote user can view sensitive configuration information. A remote user can also gain administrative access.

It is reported reported that a remote user can view and edit the 'settings.php' file with the following type of URL:


The configuration information includes mysql host, database, username, and password.

It is also reported that a remote user can access the 'admin' directory to gain access to the administrative interface. A demonstration exploit URL is provided:


Impact:   A remote user can view and edit configuration settings, including authentication information.

A remote user can access the administrative interface.

Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  Vrating multiple Vulnerabilities:

Security .Net Information (snilabs) Advisore:

Vrating multiple Vulnerabilities:

1) Vrating Lets Remote Users Read and edit the files

A bug has encountred in vrating 4.01, 4.0, a remote user can view and
edit the settings.php file.

the file settings.php not have protection, so a remote user can view
file and view the
settings website including mysql host, database, username and password.


2) Vrating default admin dir has not protected witch a password,
remote users can view and edit
a website configuration and access the configuration control panel.


Vendor Contacted: not yet .. lol

Greetz: friends of #reflux

snilabs: #sni-labs

Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC