Bugtraq mailing list archives
Kshout Data Disclosure
From: "group () soulblack com ar" <group () soulblack com ar>
Date: Fri, 29 Jul 2005 21:05:34 -0200
=========================================================== ============================================================ Title: Kshout Data Disclosure Vulnerability Discovery: SoulBlack - Security Research - http://soulblack.com.ar Date: 26/07/2005 Severity: Medium. Remote users can view configuration file. Affected version: 2.* & 3.* Vendor: http://www.knusperleicht.at/ ============================================================ ============================================================ * Summary * This is a simple ShoutBox. ------------------------------------------------------------- * Problem Description * Default Installation save configuration in insecure file. Remote users can view settings.dat Example: http://server/shoutbox/db/settings.dat /* .... username='5588cb8830fdb8ac7159b7cf5d1e611e'; $passwort='d1ff1ec86b62cd5f3903ff19c3a326b2'; .... */ -------------------------------------------------------- ------------------------------------------------------------- * Fix * Unofficial Patch: /* Change: require("$sb_path"."db/settings.dat"); for require("$sb_path"."db/settings.php"); */ and rename settings.dat to settings.php in dir /shoutbox/db/ ------------------------------------------------------------- * References * http://www.soulblack.com.ar/repo/papers/advisory/kshout_advisory.txt ------------------------------------------------------------- * Credits * Vulnerability reported by SoulBlack Security Research ============================================================ -- SoulBlack - Security Research http://www.soulblack.com.ar
Current thread:
- Kshout Data Disclosure group () soulblack com ar (Jul 30)