Web Wiz Journal Discloses Database to Remote Users
|
|
SecurityTracker Alert ID: 1011422
|
|
SecurityTracker URL: http://securitytracker.com/id?1011422
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Sep 27 2004
|
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information
|
Exploit Included: Yes
|
Advisory: Security .Net Information
|
Description: Security .Net Information (snilabs) reported a vulnerability in Web Wiz Journal. A remote user can access the database, which includes the administrative password.
It is reported that a remote user can download the database with the following type of URL:
http://[target]/PATH_TO_JOURNAL/journal.mdb
http://[target]/journal.mdb
The administrator's unencrypted password is contained in the database file.
|
Impact: A remote user can obtain the database, including the administrative password.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.webwizguide.info/asp/sample_scripts/journal_application.asp (Links to External Site)
|
Cause: Access control error, Configuration error
|
Underlying OS: Windows (Any)
|
Reported By: "Security .Net Information" <snilabs@gmail.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Sun, 26 Sep 2004 04:54:38 -0300
From: "Security .Net Information" <snilabs@gmail.com>
Subject: Web Wiz Journal discloses database to remote users
|
Security .Net Information (snilabs) Advisore:
Web Wiz Journal discloses database to remote users.
A remote user can download database containing admin password also
configuration.
xploit:
http://target.com/PATH_TO_JOURNAL/journal.mdb
http://target.com/journal.mdb
Database Administrator's password is not encrypted. heh..
Vendor contacted: not yet.. lol
--
Security .Net Information..
irc.xirc.org #sni-labs
Questions?... mail me
|
|
