Bugtraq mailing list archives
Recruitment Software allows MySQL credentials disclosure
From: Rafael San Miguel Carrasco <smcsoc () yahoo es>
Date: Sat, 31 Dec 2005 12:14:59 +0100
PRODUCT DESCRIPTIONRecruitment Software (http://www.recruitment-agency-software.com/) is a free full featured web-based recruitment agency software product. An easy to use back-end administration gives you full control over your recruitment job listings. It has been checked that several institutions are relying on this software for their recruitment processes.
VULNERABILITY DESCRIPTIONDefault installations allows anyone to read MySQL database credentials. The following URL shows an XML file with such information:
http://<server>/<root-dir>/admin/site.xml WORKAROUND Protect this resource with HTTP-based authentication Rafael San Miguel Carrasco Security Consultant www.rafaelsanmiguel.com
Current thread:
- Recruitment Software allows MySQL credentials disclosure Rafael San Miguel Carrasco (Jan 03)