Jax Newsletter jnl_records User Database Disclosure

2005-08-05T10:17:53
ID OSVDB:18580
Type osvdb
Reporter Lostmon Lords(Lostmon@gmail.com)
Modified 2005-08-05T10:17:53

Description

Vulnerability Description

Jax Newsletter contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when jnl_records is accessed, which will disclose recorded "email", "hash", "mail_format", "gender", "nick", "mode", "groups", "action", "time", "ip", "age", "profession", and "nationality" data about registered users resulting in a loss of confidentiality.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

Jax Newsletter contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered when jnl_records is accessed, which will disclose recorded "email", "hash", "mail_format", "gender", "nick", "mode", "groups", "action", "time", "ip", "age", "profession", and "nationality" data about registered users resulting in a loss of confidentiality.

Manual Testing Notes

http://[victim]/newsletter/logs/jnl_records

References:

Vendor URL: http://www.jtr.de/scripting/php/index_eng.html Secunia Advisory ID:16332 Related OSVDB ID: 18577 Related OSVDB ID: 18578 Related OSVDB ID: 18579 Other Advisory URL: http://lostmon.blogspot.com/2005/08/jax-php-scripts-multiple.html Bugtraq ID: 14481