CVE-2009-4465

Name of the Vulnerable Software and Affected Versions DeluxeBB version 1.3

Description The issue allows remote attackers to obtain sensitive information, including user and configuration data, log files, and gain administrative access. This is possible due to the storage of sensitive information under the web root with insufficient access control. Attackers can access scripts in various directories, such as templates/, images/, logs/, wysiwyg/, docs/, classes/, lang/, and settings/, via a direct request. Specifically, attackers can target directories like templates/deluxe/admincp/, templates/corporate/admincp/, and templates/blue/admincp/, as well as files like logs/cp.php.

Recommendations For DeluxeBB version 1.3, consider restricting direct access to sensitive directories and files, such as templates/, images/, logs/, wysiwyg/, docs/, classes/, lang/, and settings/, to prevent unauthorized access. As a temporary workaround, restrict access to the logs/ directory and files like logs/cp.php to minimize the risk of exploitation. Additionally, limit access to administrative scripts in templates/deluxe/admincp/, templates/corporate/admincp/, and templates/blue/admincp/ until a proper fix is applied.