Asp-cms 'mdb-database/ASP-CMS_v100.mdb' 权限许可和访问控制漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1188905 漏洞类型 权限许可和访问控制
发布时间 2007-10-06 更新时间 2007-10-06
CVE编号 CVE-2007-5260 CNNVD-ID CNNVD-200710-119
漏洞平台 N/A CVSS评分 5.0
|漏洞来源
https://www.securityfocus.com/bid/85327
https://cxsecurity.com/issue/WLB-2007100020
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200710-119
|漏洞详情
ASP-CMS1.0在网根储存敏感信息但没有赋予足够的访问控制,远程攻击者可以借助对mdb-database/ASP-CMS_v100.mdb提交一个直接请求下载包含用户名和密码的数据库。
|漏洞EXP
ASP-CMS version 1 default password location.

http://asp-cms.sourceforge.net/

A vulnerability exists within the content management system ASP-CMS that allows a remote user to see the username and password of

the content management system itsself. the user/pass combo along with all the other settings of the application are stored in an

MDB file in the folder mdb-database.

Attackers can input the following into an affected site:
http://www.example.com/asp-cms/mdb-database/ASP-CMS_v100.mdb

The fix would be to add place the file somewhere else on the filesystem out of reach of the http area.
|受影响的产品
Asp-Cms Asp-Cms 1.0
|参考资料

来源:BUGTRAQ
名称:20070930ASP-CMSversion1defaultpasswordlocation.
链接:http://www.securityfocus.com/archive/1/archive/1/481213/100/0/threaded
来源:SREASON
名称:3199
链接:http://securityreason.com/securityalert/3199