Bugtraq mailing list archives
RE: Various Vulnerabilities in SparkleBlog
From: "Alan W. Rateliff, II" <lists () rateliff net>
Date: Sat, 15 Jan 2005 13:33:13 -0500
-----Original Message----- From: Kovács László [mailto:bugtracklist () freemail hu] Sent: Saturday, January 15, 2005 12:00 PM To: bugtraq () securityfocus com Subject: Various Vulnerabilities in SparkleBlog Various Vulnerabilities in SparkleBlog
No password requied for admin pages. So a remote attacker can request the file and admin the blog site. [blogsite]/admin/blogadmin.php [blogsite]/admin/cpconfig.php [blogsite]/admin/editentries.php [blogsite]/admin/update.php
To answer this in particular, the website says: "5. Via your domain's control panel, you should password-protect the admin folder, so that only you can add and edit posts. As in Step 1, if you are a hostee, you will need to ask your host to do that for you." Granted, it is poor way to do it, but it does appear that the script was written for those who (probably) host their stuff on their own (possibly poorly) admin'ed boxes, or one of a friends', or a free PHP host, etc. This is not industrial-grade stuff here. -- Alan W. Rateliff, II : RATELIFF.NET Independent Technology Consultant : alan2 () rateliff net (Office) 850/350-0260 : ------------------------------------------------------------- [System Administration][IT Consulting][Computer Sales/Repair]
Current thread:
- Various Vulnerabilities in SparkleBlog Kovács László (Jan 15)
- RE: Various Vulnerabilities in SparkleBlog Alan W. Rateliff, II (Jan 15)