[HSC] Snitz Forums Multiple Vulnerabilities Jan 07 2008 05:08AM
DoZ HackersCenter com (1 replies)
RE: [HSC] Snitz Forums Multiple Vulnerabilities Jan 07 2008 07:39PM
Aaron Cake (aaron vltpm com)
> - Default Database Disclosure:
> /forum/snitz_forums_2000.mdb
> Solution:
> Change the database name. The name should be a combination of
> letters and numbers.
>
> That makes it hard for anyone to guess the name of your database.

As a long time Snitz user who has installed it far more times then one would
consider sane, I question the validity of this advisory. While it is true
that the default database location is insecure, it is very clear in the
readme file that the database should be moved or at the very least renamed:

"Change the database name:
When using an Access database, all the data is stored in a single file,
unlike the other databases. So caution should be taken in where you store
your Access database as it can be downloaded by anyone if they know the
path.
If you store your Access database in a folder outside of your www folder (or
wherever you keep the files for the rest of your site), then you should be
safe because no one can download your database if it is outside of your www
folder.
If you store your database in a cgi-bin folder, or in your www folder, then
it is strongly recommended that you change the default database name from
snitz_forums_2000.mdb to a cryptic or not easy to guess name. The name
should be a combination of letters and numbers. That makes it hard for
anyone to guess the name of your database."
-Quoted from Snitz Forums 2000 README.HTM

The solution in this advisory is the same as mentioned in the README.HTM
setup instructions, and still not a good one compared to moving the file to
a directory not accessible to the public.

> - Information Leakage: (Version: 3.4.05)
> Will show the Database path: /forum/whereami.asp
>

The whereami.asp is not installed by default. It is in a ZIP file that is
optional to extract. And it will only provide the physical location of the
database if the database is in a web accessible area with the whereami.asp
file.

These are configuration issues, not security vulnerabilities.

---
Aaron Cake
Technical Services
Advanced Computer Ideas
Phone: 1-519-433-0279
Fax: 1-519-433-5413

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus