PT-2008-1435 · Mybloggie · Mybloggie
Jesper Jurcenoks
·
Publicado
2008-07-09
·
Atualizado
2008-09-05
·
CVE-2007-3650
CVSS v3.1
5.3
Média
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
myBloggie version 2.1.6
Description
The issue allows remote attackers to obtain sensitive information. This can be achieved through several methods:
- by providing an invalid year parameter to "calendar.php", which can be reached through "index.php",
- by making a direct request to "common.php",
- or by including a
modearray parameter in the query string to "login.php". These actions can reveal the installation path in various error messages.
Recommendations
For myBloggie version 2.1.6, consider restricting access to "calendar.php", "common.php", and "login.php" to minimize the risk of exploitation.
As a temporary workaround, avoid using the
mode array parameter in the query string to "login.php" until the issue is resolved.
Additionally, validate user input, especially the year parameter to "calendar.php", to prevent the disclosure of sensitive information.Exploit
Correção
Information Disclosure
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Mybloggie