|
|
Info |
Last Modified |
| 7 months ago |
|
|
|
|
Description |
EZGuestbook contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when the product stores its database within the web root, where it can be downloaded with a simple browser request. This will disclose all guestbook information, including the administrator's username and cleartext password, resulting in a loss of confidentiality.
|
|
Classification |
Location:
Remote/Network Access Required
Attack Type:
Information Disclosure
Impact:
Loss of Confidentiality
Exploit:
Exploit Available
Disclosure:
OSVDB Verified
|
|
Technical |
No version numbers are available for this product. The vulnerability was tested with the latest revision available for download from the vendor at this time. The latest file modification date within this version is 2004-11-16.
|
|
Solution |
Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround(s): Apply web server access controls to the datastores directory, or relocate guestbook.mdb outside of the web root and modify config.asp to point to the new location by changing the line that reads:
strDBPath = "/ezguestbook/datastores/guestbook.mdb"
|
|
Products |
|
EZGuestbook
 |
2004-11-16 |
|
|
|
|
|
Credit |
- g0rellazz G0r - l8oo8l
 gmail.com - Team-evil Moroccain Hackers
|
|
BlogsProvided by Technorati
|
None found at this time
|
|
|
