PHP-Survey Database Access Vulnerability

From: MOD (br014c1155at_private)
Date: Fri Apr 26 2002 - 13:27:34 PDT

Next message: RSnake: "Re: apache + .htpasswd - bypass pwd check"

Previous message: Tom Donovan: "Re: KPMG-2002013: Coldfusion Path Disclosure"
Next in thread: Jens Knoell: "Re: PHP-Survey Database Access Vulnerability"
Reply: Jens Knoell: "Re: PHP-Survey Database Access Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

PHP-Survey is an online survey creation and management system written in
PHP. It uses a MySQL database on backend for all data handling.
Global.inc holds the database information, and settings for the survey's
interface. Global.inc on default settings is not interpreted by PHP hence
any user can make an HTTP request for global.inc and will be able to view
the source code, hence the database password, username, localhost is
revealed, and also superuser information for the administration of the poll
survey. A solution might be to rename global.inc to global.inc.php.

Next message: RSnake: "Re: apache + .htpasswd - bypass pwd check"
Previous message: Tom Donovan: "Re: KPMG-2002013: Coldfusion Path Disclosure"
Next in thread: Jens Knoell: "Re: PHP-Survey Database Access Vulnerability"
Reply: Jens Knoell: "Re: PHP-Survey Database Access Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 26 2002 - 15:14:12 PDT