lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20050729230542.M46991@soulblack.com.ar> Date: Sat Jul 30 00:08:04 2005 From: group at soulblack.com.ar (group@...lblack.com.ar) Subject: Kshout Data Disclosure =========================================================== ============================================================ Title: Kshout Data Disclosure Vulnerability Discovery: SoulBlack - Security Research - http://soulblack.com.ar Date: 26/07/2005 Severity: Medium. Remote users can view configuration file. Affected version: 2.* & 3.* Vendor: http://www.knusperleicht.at/ ============================================================ ============================================================ * Summary * This is a simple ShoutBox. ------------------------------------------------------------- * Problem Description * Default Installation save configuration in insecure file. Remote users can view settings.dat Example: http://server/shoutbox/db/settings.dat /* .... username='5588cb8830fdb8ac7159b7cf5d1e611e'; $passwort='d1ff1ec86b62cd5f3903ff19c3a326b2'; .... */ -------------------------------------------------------- ------------------------------------------------------------- * Fix * Unofficial Patch: /* Change: require("$sb_path"."db/settings.dat"); for require("$sb_path"."db/settings.php"); */ and rename settings.dat to settings.php in dir /shoutbox/db/ ------------------------------------------------------------- * References * http://www.soulblack.com.ar/repo/papers/advisory/kshout_advisory.txt ------------------------------------------------------------- * Credits * Vulnerability reported by SoulBlack Security Research ============================================================ -- SoulBlack - Security Research http://www.soulblack.com.ar
Powered by blists - more mailing lists