Zen Help Desk 敏感信息泄露漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1190275 漏洞类型 未知
发布时间 2007-06-11 更新时间 2007-06-11
CVE编号 CVE-2007-3146 CNNVD-ID CNNVD-200706-160
漏洞平台 N/A CVSS评分 5.0
|漏洞来源
https://www.securityfocus.com/bid/86087
https://cxsecurity.com/issue/WLB-2007060049
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200706-160
|漏洞详情
ZenHelpDesk中存在敏感信息泄露漏洞。ZenHelpDesk在web根下储存敏感信息而未赋予足够的访问控制,远程攻击者可以借助一个对ZenHelpDesk.mdb的直接请求,下载一个包含密码的数据库。
|漏洞EXP

--/ INTRODUCTION --

*
*
* Advisory : Zen Help Desk ==> Version 2.1 Bypass/Database Download Vulnerability
* Release Date : 25 / 05 / 2007
* Application : Zen Help Desk ==> Version 2.1
* Impact : Remote
* Googledork : "CopyRight 2004  Zen Help Desk" ,allintitle:Zen Help Desk or 
* or"allinurl:trackrequest.asp"
* Author : Titanichacker
* Contact : the-modest-pirate (at) hotmail (dot) com [email concealed]
* Home page : http://Hack-Teach.org
*
*

--/ REPRODUCE --

# Attackers Can Authentication Bypass In This Product By Add The Following 
Files:
('/ZenHelpDesk.mdb') And Download The Database Which Contains Table Named 
[admin]
The admin Name And Password Inside

thanx

cold-zero & mohandko & tryag team & hack-teach & drbaka & arb-hawk

# www.Hack-Teach.com & mohandko.com & tryag.com
_________________________________________________________________
Play free games, earn tickets, get cool prizes! Join Live Search Club.
http://club.live.com/home.aspx?icid=CLUB_wlmailtextlink
|受影响的产品
Zen Help Desk Software Zen Help Desk 2.1
|参考资料

来源:BUGTRAQ
名称:20070607ZenHelpDesk==>Version2.1Bypass/
链接:http://www.securityfocus.com/archive/1/archive/1/470803/100/0/threaded
来源:XF
名称:zen-zenhelpdesk-information-disclosure(34770)
链接:http://xforce.iss.net/xforce/xfdb/34770
来源:SREASON
名称:2788
链接:http://securityreason.com/securityalert/2788