CVE-2006-6888

Name of the Vulnerable Software and Affected Versions: P-News versions 1.16 through 1.17

Description: The issue allows remote attackers to obtain sensitive information, including the administrative account name and password hash, due to insufficient access control. This is achieved by making a direct request for the db/user.dat file, which stores sensitive information under the web root.

Recommendations: For P-News versions 1.16 through 1.17, consider restricting access to the db/user.dat file to minimize the risk of exploitation. As a temporary workaround, limit direct requests to this file until a proper fix is applied.