HTMLJunction EZGuestbook database disclosure
| htmljunction-database-disclosure (20487) |  High Risk |
Description:
HTMLJunction EZGuestbook could allow a remote attacker to obtain the guestbook database caused by a vulnerability in the default configuration. The default configuration fails to properly provide access controls for the database directory. A remote attacker could exploit this vulnerability by downloading the guestbook.mdb database file to gain unauthorized access to the guestbook database.
Platforms Affected:
- HTMLJunction, HTMLJunction EZGuestbook
Remedy:
No remedy available as of July 4, 2009.
Consequences:
Gain Access
References:
- cgi-bin Web site, PHP Scripts: BBSes & Guestbooks: EzGuestBook at http://www.cgi-bin.com/Detailed/1704.html.
- BID-13543: HTMLJunction EZGuestbook Guestbook.mdb Database Disclosure Vulnerability
- CVE-2005-1660: HTMLJunction EZGuestbook stores the guestbook.mdb file under the web document root with insufficient access control, which allows remote attackers to obtain sensitive information such as the administrative password.
- OSVDB ID: 16444: HTMLJunction EZGuestbook guestbook.mdb Remote Information Disclosure
- SECTRACK ID: 1013912: HTMLJunction EZGuestbook Discloses Database to Remote Users
Reported:
May 06, 2005
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net