SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Forum/Board/Portal)  >   Uapplication Vendors:   Uapplication
Uapplication Products Disclose the Database to Remote Users and Let Remote Authenticate Administrators Upload Arbitrary Files
SecurityTracker Alert ID:  1013830
SecurityTracker URL:  http://securitytracker.com/id/1013830
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 28 2005
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information, User access via network
Exploit Included:  Yes  

Description:   Team-evil MOroccain Hackers reported a vulnerability in several Uapplication products. A remote user can obtain the database, which includes the administrative password.

A remote user can supply the following type of URLs to obtain the underlying database files:

http://[target]/uguestbook/mdb-databse/guestbook.mdb

http://[target]/ublog/mdb-database/blog.msb

http://[target]/uphotogallery/mdb-database/uphotogallery.mdb

The database contains the administrative password.

A remote authenticated administrator can invoke the uphotogallery 'edit_image.asp' script to upload arbitrary files to the target system.

Team-evil MOroccain Hackers reported this vulnerability.

Impact:   A remote user can obtain the database, which includes the administrator's password.

A remote authenticated administrator can upload arbitrary files to the target system.

Solution:   No solution was available at the time of this entry.
Vendor URL:  www.uapplication.com/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  vulnerability in uapplication


Team-evil MOroccain Hackers
A remote user can download the database and obtain the administrative password.

and uphotogallery admin can  upload files

www.target.com/uguestbook/mdb-databse/guestbook.mdb

www.target.com/ublog/mdb-database/blog.msb

www.target.com/uphotogallery/mdb-database/uphotogallery.mdb

in uphotogallery new_image.asp  upload files not allowed but when u want to edit your image you can upload files  edit_image.asp

 

by Team-evil MOroccain Hackers


-= by G0rillazz =-

MSN Messenger : discutez en direct avec vos amis !
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC