Smart Guest Book Discloses Database and Administrative Password to Remote Users
|
|
SecurityTracker Alert ID: 1011084
|
|
SecurityTracker URL: http://securitytracker.com/id?1011084
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Aug 29 2004
|
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information
|
Exploit Included: Yes
|
Advisory: Security .Net Information
|
Description: Security .Net Information reported a vulnerability in the Smart Guest Book. A remote user can directly access the news database and view the administrative password.
It is reported that a remote user can download the database with the following type of URL:
http://[target]/path_of_guestbook/SmartGuestBook.mdb
It
is also reported that the database contains the administrator's password in unencrypted form.
|
Impact: A remote user can download the database and obtain the administrative password.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.smartwebby.com/web_products/flash_guestbook/default.asp (Links to External Site)
|
Cause: Access control error, Configuration error
|
Underlying OS: Windows (Any)
|
Reported By: "Security .Net Information" <snilabs@gmail.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Sat, 28 Aug 2004 22:55:26 -0300
From: "Security .Net Information" <snilabs@gmail.com>
Subject: Smart Guest Book Discloses Database to Remote Users.
|
Security .Net Information Advisore:
Smart Guest Book Discloses Database to Remote Users.
A remote user can download the news database.
Passwd and user admin has not encrypted =) remote user can gain admin access.
Example:
http://www.target.com/path_of_guestbook/SmartGuestBook.mdb
Vendor Contacted: not yet..lol
Greetz: friends of irc.unityirc.net (private & rumbeando)
--
Security .Net Information..
Questions?... mail me
|
|
