That's not a product-specific exploit or a flaw in the product.
If somebody mis-configures their installation of it by putting the
database file in a directory accessible via the web, then getting the
database file is trivial for any package. The very first step in the
documentation for uguestbook says not to do that, see:
http://www.uapplication.com/uguestbook/doc.asp
> -----Original Message-----
> From: l--s (at) hotmail (dot) com [email concealed] [mailto:l--s (at) hotmail (dot) com [email concealed]]
> Sent: Thursday, July 28, 2005 10:31 AM
> To: bugtraq (at) securityfocus (dot) com [email concealed]
> Subject: uguestbook exploit
>
> hello ,
>
> By ...... MeSa7eB
>
> Data ...... 28/7/2005
>
> pro ...... http://www.uapplication.com/
>
> My web site : http://3asfh.net/vb
>
> My Email : l--s (at) hotmail (dot) com [email concealed]
>
> ===============================================
>
> exploit :
>
> http://xxx.com/guestbook/mdb-database/guestbook.mdb
>
> ==================================
>
If somebody mis-configures their installation of it by putting the
database file in a directory accessible via the web, then getting the
database file is trivial for any package. The very first step in the
documentation for uguestbook says not to do that, see:
http://www.uapplication.com/uguestbook/doc.asp
> -----Original Message-----
> From: l--s (at) hotmail (dot) com [email concealed] [mailto:l--s (at) hotmail (dot) com [email concealed]]
> Sent: Thursday, July 28, 2005 10:31 AM
> To: bugtraq (at) securityfocus (dot) com [email concealed]
> Subject: uguestbook exploit
>
> hello ,
>
> By ...... MeSa7eB
>
> Data ...... 28/7/2005
>
> pro ...... http://www.uapplication.com/
>
> My web site : http://3asfh.net/vb
>
> My Email : l--s (at) hotmail (dot) com [email concealed]
>
> ===============================================
>
> exploit :
>
> http://xxx.com/guestbook/mdb-database/guestbook.mdb
>
> ==================================
>
[ reply ]