| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20050320063443.10181.qmail@www.securityfocus.com> Date: 20 Mar 2005 06:34:43 -0000 From: farhad koosha <farhadkey@...oo.com> To: bugtraq@...urityfocus.com Subject: 2 vulnerabilities in BetaParticle BetaParticle (bp) is a ASP CMS ( Blog + Gallery ). I found 2 vulnerabilities in BetaParticle. * http://example.com/bp : is BP path ! 1) BP Database Disclosure For version < 3.0 Database path : http://example.com/bp/database/dbBlogMX.mdb you can download it and disclose the administrator username and password . Solution : Move your DB to outside the web root and correct DB physical path . --------------------------------------------------- For version >= 3.0 Database path : http://example.com/Blog.mdb *And BP path must be : http://example.com/bp/ you can download it and disclose the administrator username and password . Solution : Move your DB to outside the web root and correct DB physical path . --------------------------------------------------- 2) Upload/Delete files and images without admin's password For version =< 3.0 For uploading files go to upload.asp http://example.com/bp/upload.asp For deleting files go to myFiles.asp http://example.com/bp/myFiles.asp Solution : Using BP V 4.0
Powered by blists - more mailing lists