myBloggie index.php post_id Variable Path Disclosure

2005-05-05T06:44:30
ID OSVDB:16359
Type osvdb
Reporter Alberto Trivero(trivero@jumpy.it)
Modified 2005-05-05T06:44:30

Description

Vulnerability Description

myBloggie contains a flaw that may lead to an unauthorized information disclosure.  The issue is triggered when a remote attacker passes malformed input to the 'post_id' variable, which will disclose the physical installation path information resulting in a loss of confidentiality.

Solution Description

Upgrade to version 2.1.2 or higher, as it has been reported to fix this vulnerability. In addition, myWebland has released a patch for some older versions.

Short Description

myBloggie contains a flaw that may lead to an unauthorized information disclosure.  The issue is triggered when a remote attacker passes malformed input to the 'post_id' variable, which will disclose the physical installation path information resulting in a loss of confidentiality.

Manual Testing Notes

http://[victim]/mybloggie/index.php?mode=viewid&post_id='

References:

Vendor URL: http://www.mywebland.com/ Vendor Specific Solution URL: http://mywebland.com/forums/viewtopic.php?t=180 Related OSVDB ID: 16360 Related OSVDB ID: 16361 Related OSVDB ID: 16362 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-05/0049.html CVE-2005-1497