Info

Disclosure

Sep 22, 2005

Discovery

Unknown

Dates

Exploit

Sep 22, 2005

Solution

Unknown

Description

phpMyFAQ contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when a remote attacker directly requests a log file from the /data/ directory occurs, which will disclose user information and other log entries resulting in a loss of confidentiality. This attack requires the attacker to supply a file name based on the date.

Classification

Location: Remote / Network Access
Attack Type: Information Disclosure
Impact: Loss of Confidentiality
Exploit: Exploit Public
Disclosure: OSVDB Verified, Vendor Verified
OSVDB: Web Related

Solution

Upgrade to version 1.5.2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

phpMyFAQ Team

phpMyFAQ

1.5.1

References

Security Tracker: 1014968
Secunia Advisory ID: 16933
Related OSVDB ID: 19666 19667 19668 19669 19671 19672
CVE ID: 2005-3049 (see also: NVD)
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-09/0282.html
Other Advisory URL: http://rgod.altervista.org/phpmyfuck151.html
Vendor URL: http://www.phpmyfaq.de/
http://www.phpmyfaq.de/advisory_2005-09-23.php
Vendor Specific News/Changelog Entry: http://www.phpmyfaq.de/changelog.php

Credit

rgod - rgodautistici.org - http://retrogod.altervista.org

Direct URL: http://osvdb.org/19670