wcSimple Poll 'password.txt' 远程信息泄露漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1192085 漏洞类型 未知
发布时间 2007-01-17 更新时间 2007-01-17
CVE编号 CVE-2007-0312 CNNVD-ID CNNVD-200701-270
漏洞平台 N/A CVSS评分 7.8
|漏洞来源
https://www.securityfocus.com/bid/86746
https://cxsecurity.com/issue/WLB-2007010072
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200701-270
|漏洞详情
wcSimplePoll在web根下储存敏感信息而未赋予足够的访问限制,这使得远程攻击者可以借助一个对password.txt的直接请求,获得密码信息。
|漏洞EXP
------------------------------------------------------------------------
-------------------------------------------

AYYILDIZ.ORG PreSents...

*Script: wcSimple Poll 
*Download: members.monarch.net/offsite/ZipFiles/wcPoll.zip

*Contact: ilker Kandemir <ilkerkandemir[at]mynet.com>

------------------------------------------------------------------------
-------------------------------------------

*Exploit:  http://[Site]/[Script_Path]/password.txt

------------------------------------------------------------------------
-------------------------------------------

Tnx:H0tturk,Dr.Max Virus,Asianeagle,PcDelisi,CodeR,Dum?nci 
Special Tnx: AYYILDIZ.ORG
|受影响的产品
Wcsimple Poll Wcsimple Poll 0
|参考资料

来源:BUGTRAQ
名称:20070114wcSimplePoll(password.txt)RemotePasswordDisclosureVulnerablity
链接:http://www.securityfocus.com/archive/1/archive/1/456982/100/0/threaded
来源:OSVDB
名称:33539
链接:http://osvdb.org/33539
来源:SREASON
名称:2157
链接:http://securityreason.com/securityalert/2157