SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Forum/Board/Portal)  >  Uapplication Vendors:  Uapplication
Uapplication Products Disclose the Database to Remote Users and Let Remote Authenticate Administrators Upload Arbitrary Files
SecurityTracker Alert ID:  1013830
SecurityTracker URL:  http://securitytracker.com/id?1013830
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 28 2005
Impact:  Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information, User access via network
Exploit Included:  Yes  
Description:  Team-evil MOroccain Hackers reported a vulnerability in several Uapplication products. A remote user can obtain the database, which includes the administrative password.

A remote user can supply the following type of URLs to obtain the underlying database files:

http://[target]/uguestbook/mdb-databse/guestbook.mdb

http://[target]/ubl og/mdb-database/blog.msb

http://[target]/uphotogallery/mdb-database/uphotogallery.mdb

The database contains the administrative password.

A remote authenticated administrator can invoke the uphotogallery 'edit_image.asp' script to upload arbitrary files to the target system.

Team-evil MOroccain Hackers reported this vulnerability.
Impact:  A remote user can obtain the database, which includes the administrator's password.

A remote authenticated administrator can upload arbitrary files to the target system.
Solution:  No solution was available at the time of this entry.
Vendor URL:  www.uapplication.com/ (Links to External Site)
Cause:  Access control error
Underlying OS:  Windows (Any)
Reported By:  "rida rida" <l8oo8l@msn.com>
Message History:   None.

 Source Message Contents
Date:  Wed, 27 Apr 2005 13:35:12 +0000
From:  "rida rida" <l8oo8l@msn.com>
Subject:  vulnerability in uapplication 

 
 
Team-evil MOroccain Hackers
A remote user can download the database and obtain the administrative password.
 
and uphotogallery admin can  upload files
 
www.target.com/uguestbook/mdb-databse/guestbook.mdb
 
www.target.com/ublog/mdb-database/blog.msb
 
www.target.com/uphotogallery/mdb-database/uphotogallery.mdb
 
in uphotogallery new_image.asp  upload files not allowed but when u want to edit your image you can u
pload files  edit_image.asp
 
 
 
by Team-evil MOroccain Hackers
 
 
-= by G0rillazz =-
 
MSN Messenger : discutez en direct avec vos amis !


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2005, SecurityGlobal.net LLC