Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Forum/Board/Portal)  >   LBlog Vendors:
LBlog Discloses Database to Remote Users
SecurityTracker Alert ID:  1017462
SecurityTracker URL:
CVE Reference:   CVE-2007-0077   (Links to External Site)
Updated:  May 20 2008
Original Entry Date:  Jan 2 2007
Impact:   Disclosure of system information, Disclosure of user information
Exploit Included:  Yes  
Version(s): 2.0; possibly other versions
Description:   A vulnerability was reported in LBlog. A remote user can obtain the database.

A remote user can invoke the following type of URL to download the database:


Aria-Security Team discovered this vulnerability.

[Editor's note: The vendor recommends using a "secret" folder name instead of the default "newFolder" directory for storing the database.

Impact:   A remote user obtain the database.
Solution:   No solution was available at the time of this entry.

As a workaround, web server access controls can be applied to the database file.

Vendor URL: (Links to External Site)
Cause:   Access control error, Configuration error
Underlying OS:  Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  lblog Remote Password Disclosure

#<Aria-Security Team>
#<Happy New Year!!>
#< For English>
#< For Parsi>
#Discovered: Aria-Security Team
#Risk: Low
#Type:Remote Database Download
#http://TARGET/path/admin/db/newFolder/                              THEN DOWNLOAD THE DATABASE AVAILABLE IN THIS FOLDER


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, LLC