PT-2008-1435 · Mybloggie · Mybloggie
Jesper Jurcenoks
·
Published
2008-07-09
·
Updated
2008-09-05
·
CVE-2007-3650
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
myBloggie version 2.1.6
Description
The issue allows remote attackers to obtain sensitive information. This can be achieved through several methods:
- by providing an invalid year parameter to "calendar.php", which can be reached through "index.php",
- by making a direct request to "common.php",
- or by including a
modearray parameter in the query string to "login.php". These actions can reveal the installation path in various error messages.
Recommendations
For myBloggie version 2.1.6, consider restricting access to "calendar.php", "common.php", and "login.php" to minimize the risk of exploitation.
As a temporary workaround, avoid using the
mode array parameter in the query string to "login.php" until the issue is resolved.
Additionally, validate user input, especially the year parameter to "calendar.php", to prevent the disclosure of sensitive information.Exploit
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Mybloggie