Network Security: Detailed info on [Full-disclosure] Kshout Data Disclosure

Subject:	[Full-disclosure] Kshout Data Disclosure
Date:	Fri, 29 Jul 2005 21:05:34 -0200

Subject:

[Full-disclosure] Kshout Data Disclosure

Date:

Fri, 29 Jul 2005 21:05:34 -0200

===========================================================

============================================================
Title: Kshout Data Disclosure
Vulnerability Discovery: SoulBlack - Security Research -
http://soulblack.com.ar
Date: 26/07/2005
Severity: Medium. Remote users can view configuration file.
Affected version: 2.* & 3.*
Vendor: http://www.knusperleicht.at/
============================================================

============================================================

* Summary *

This is a simple ShoutBox.

-------------------------------------------------------------

* Problem Description *

Default Installation save configuration in insecure file.

Remote users can view settings.dat

Example:

http://server/shoutbox/db/settings.dat

/*

....

username='5588cb8830fdb8ac7159b7cf5d1e611e';

$passwort='d1ff1ec86b62cd5f3903ff19c3a326b2';

....

*/

--------------------------------------------------------


-------------------------------------------------------------

* Fix *

Unofficial Patch:

/*

Change: 

require("$sb_path"."db/settings.dat");

for

require("$sb_path"."db/settings.php");

*/

and rename settings.dat to settings.php in dir /shoutbox/db/
-------------------------------------------------------------

* References *

http://www.soulblack.com.ar/repo/papers/advisory/kshout_advisory.txt

-------------------------------------------------------------

* Credits *

Vulnerability reported by SoulBlack Security Research

============================================================

--
SoulBlack - Security Research
http://www.soulblack.com.ar

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

<Prev in Thread]	Current Thread	[Next in Thread>
[Full-disclosure] Kshout Data Disclosure, group@soulblack.com.ar <=

<Prev in Thread]

Current Thread

[Next in Thread>

Previous by Date:	Re[2]: [Full-disclosure] SPIDynamics WebInspect Cross-ApplicationScripting (XAS), 3APA3A
Next by Date:	RE: [VOIPSEC] VoIP-Phones: Weakness in proccessing SIP-Notify-Messages, Walton, John Michael (John)
Previous by Thread:	MDKSA-2005:127 - Updated mozilla-thunderbird packages fix multiple vulnerabilities, Mandriva Security Team
Next by Thread:	Kayako liveResponse Multiple Vulnerabilities, GulfTech Security Research
Indexes:	[Date] [Thread] [Top] [All Lists]

Previous by Date:

Re[2]: [Full-disclosure] SPIDynamics WebInspect Cross-ApplicationScripting (XAS), 3APA3A

Next by Date:

RE: [VOIPSEC] VoIP-Phones: Weakness in proccessing SIP-Notify-Messages, Walton, John Michael (John)

Previous by Thread:

MDKSA-2005:127 - Updated mozilla-thunderbird packages fix multiple vulnerabilities, Mandriva Security Team

Next by Thread:

Kayako liveResponse Multiple Vulnerabilities, GulfTech Security Research

Indexes:

[Date] [Thread] [Top] [All Lists]