Kaos news Lets Remote Users Download the Database Containing Passwords
|
|
SecurityTracker Alert ID: 1009958
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Apr 27 2004
|
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information
|
Exploit Included: Yes
|
Version(s): 0.9
|
Description: CyberTal0n reported a vulnerability in Kaos news. A remote user can download the underlying database.
It is reported that the software stores usernames, passwords, and configuration data in the 'kaosnews.mdb' database file in a publicly
accessible web directory. A remote user can download the file with the following type of URL:
http://[target]/news/kaosnews.mdb
|
Impact: A remote user can access the database.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.webkaos.co.uk/scripts.asp?cat=asp&scriptid=1 (Links to External Site)
|
Cause: Access control error, Configuration error
|
Underlying OS: Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 27 Apr 2004 02:33:02 -0400
Subject: Kaos news v0.9 lets remote users download the user database
|
Kaos news v0.9 lets remote users download the user database
Found by: CyberTalon
1. Problem
2. Exploit
3. Info
1. Authors Panel script stores usernames and passwords along with other configurations in
kaosnews.mdb, which is downloadable thru the web by remote users.
2. www.site.com/news/kaosnews.mdb
3. Vendor URL: www.webkaos.co.uk
-CT
|
|
