MPCSoftWeb Photo Discloses Administrator Password to Remote Users
|
|
SecurityTracker Alert ID: 1007567
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Aug 26 2003
|
Impact: Disclosure of authentication information, User access via network
|
Exploit Included: Yes
|
Description: CyberTalon reported a vulnerability in MPCSoftWeb Photo. A remote user can obtain the administrator's password.
It is reported that a remote user can request the 'mpcsoftweb_photo.mdb' file containing the administrator's username and password. A demonstration exploit URL is provided:
http://[target]/photofolder/database/mpcsoftweb_photo.mdb
|
Impact: A remote user can obtain the administrator's username and password.
|
Solution: No solution was available at the time of this entry.
The report indicates that, as a workaround, you can use access controls to protect the 'mpcsoftweb_photo.mdb' file.
|
Vendor URL: www.mpcsoftweb.co.uk/pages/mpcsoftweb_photo.asp (Links to External Site)
|
Cause: Access control error
|
Underlying OS: Windows (Any)
|
Reported By: cyber talon <cyber_talon@hotmail.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 25 Aug 2003 12:47:11 -0300
From: cyber talon <cyber_talon@hotmail.com>
Subject: mpcsoftweb Photo discloses the database of usernames and passwords
|
mpcsoftweb Photo discloses the database of usernames and passwords
Found by: CyberTalon
1. Problem
2. Exploit
3. Solution
4. Info
1. mpcsoftweb Photo stores the administrators username and password in
database/mpcsoftweb_photo.mdb , which is downloadable thru the web from
remote users.
2. www.siterunningthephoto.com/photofolder/database/mpcsoftweb_photo.mdb
3. Hide mpcsoftweb_photo.mdb .
4. Vendor URL: http://www.mpcsoftweb.co.uk/pages/mpcsoftweb_photo.asp
-CT
_________________________________________________________________
Add photos to your e-mail with MSN 8. Get 2 months FREE*.
http://join.msn.com/?page=features/featuredemail
|
|
