Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:12737
HistoryMay 20, 2006 - 12:00 a.m.

CANews Remote Multiple Vulnerability

2006-05-2000:00:00
vulners.com
7

      - Dayfox Blog Insecure Password Storage -

-= http://colander.altervista.org/advisory/DayfoxBlog.txt =-

		 -= Dayfox Blog =-

Omnipresent
May 19, 2006

Vunerability(s):

Insecure Password Storage

Product:

Dayfox Blog

Vendor:

http://www.hotscripts.com/Detailed/57720.html

Description of product:

An extremily simple blog php script, without the need for a MYSQL databse, run on TXT flat files.

Resource Specification
Platform(s): linux, windows, freebsd, osx, sun
Date Added: Mar 14, 2006
Last Updated: Mar 14, 2006
Author: Dayfox

Vulnerability / Exploit:

The vulnerability in Dayfox Blog is Insecure Password Storage. The password are stored in a .txt file named slog_users.txt
and if an attacker use the simple browser can see all passwords.

PoC / Proof of Concept:

Malicious people can go to this URL:

http://127.0.0.1/[path_of_Dayfo_Blog]/edit/slog_users.txt

and can see all Password!

Vendor Status

Not informed!

Credits:

omnipresent
[email protected]