MPCSoftWeb Photo Discloses Administrator Password to Remote Users
|
|
SecurityTracker Alert ID: 1007567 |
|
SecurityTracker URL: http://securitytracker.com/id/1007567
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Aug 26 2003
|
Impact:
Disclosure of authentication information, User access via network
|
Exploit Included: Yes
|
|
Description:
CyberTalon reported a vulnerability in MPCSoftWeb Photo. A remote user can obtain the administrator's password.
It is reported that a remote user can request the 'mpcsoftweb_photo.mdb' file containing the administrator's username and password. A demonstration exploit URL is provided:
http://[target]/photofolder/database/mpcsoftweb_photo.mdb
|
Impact:
A remote user can obtain the administrator's username and password.
|
Solution:
No solution was available at the time of this entry.
The report indicates that, as a workaround, you can use access controls to protect the 'mpcsoftweb_photo.mdb' file.
|
Vendor URL: www.mpcsoftweb.co.uk/pages/mpcsoftweb_photo.asp (Links to External Site)
|
Cause:
Access control error
|
Underlying OS:
Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 25 Aug 2003 12:47:11 -0300
Subject: mpcsoftweb Photo discloses the database of usernames and passwords
|
mpcsoftweb Photo discloses the database of usernames and passwords
Found by: CyberTalon
1. Problem
2. Exploit
3. Solution
4. Info
1. mpcsoftweb Photo stores the administrators username and password in
database/mpcsoftweb_photo.mdb , which is downloadable thru the web from
remote users.
2. www.siterunningthephoto.com/photofolder/database/mpcsoftweb_photo.mdb
3. Hide mpcsoftweb_photo.mdb .
4. Vendor URL: http://www.mpcsoftweb.co.uk/pages/mpcsoftweb_photo.asp
-CT
_________________________________________________________________
Add photos to your e-mail with MSN 8. Get 2 months FREE*.
http://join.msn.com/?page=features/featuredemail
|
|
