SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   LBlog Vendors:   lblog.dk
LBlog Discloses Database to Remote Users
SecurityTracker Alert ID:  1017462
SecurityTracker URL:  http://securitytracker.com/id/1017462
CVE Reference:   CVE-2007-0077   (Links to External Site)
Updated:  May 20 2008
Original Entry Date:  Jan 2 2007
Impact:   Disclosure of system information, Disclosure of user information
Exploit Included:  Yes  
Version(s): 2.0; possibly other versions
Description:   A vulnerability was reported in LBlog. A remote user can obtain the database.

A remote user can invoke the following type of URL to download the database:

http://[target]/path/admin/db/newFolder/Lblog.mdb

Aria-Security Team discovered this vulnerability.

[Editor's note: The vendor recommends using a "secret" folder name instead of the default "newFolder" directory for storing the database.

Impact:   A remote user obtain the database.
Solution:   No solution was available at the time of this entry.

As a workaround, web server access controls can be applied to the database file.

Vendor URL:  www.lblog.dk/ (Links to External Site)
Cause:   Access control error, Configuration error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  lblog Remote Password Disclosure

#<Aria-Security Team>
#<Happy New Year!!>
#<Aria-Security.com For English>
#<Aria-Security.net For Parsi>
#Discovered: Aria-Security Team
#Vendor: http://www.lblog.dk/
#Risk: Low
#Type:Remote Database Download
#PoC:
#
#http://TARGET/path/admin/db/newFolder/                              THEN DOWNLOAD THE DATABASE AVAILABLE IN THIS FOLDER
#
#Contact: advisory@aria-security.net 

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC