Php Topsites Discloses Configuration Data

Full Version: Php Topsites Discloses Configuration Data

GovernmentSecurity.org > General GSO > Exploit & Vulnerability Mailing List Archives

qcred11

Jul 21 2005, 02:54 PM

QUOTE

PHP TopSites Discloses Configuration Data to Remote Users

AFFECTED PRODUCTS
=================
PHP TopSites FREE ( all versions )
PHP TopSites PRO ( all versions )
http://itop10.net

OVERVIEW
========
PHP TopSites is a PHP/MySQL-based customizable TopList script

DETAILS
=======
1. Information Disclosure

The setup / admin section (admin control panel) can be accessed
without authorization. This exposes the administrative mysql info
including user-db-pass-host and admin email addresses.
Further access allows reading / editing of toplist member info
including the above data.

POC
===

1.
------

The configuration of the top lists in the admin area can be accessed
by the following URL:
http://[host]/[toplistdirectory]/[admindirectory]/setup.php

Source: http://www.securitytracker.com/alerts/2005/Jul/1014552.html

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.