phpPgAds / phpAdsNew create.php Installation Information Disclosure

2005-11-10T02:33:54
ID OSVDB:20735
Type osvdb
Reporter Toni Koivunen(toni.koivunen@fitsec.com)
Modified 2005-11-10T02:33:54

Description

Vulnerability Description

phpAdsNew contains a flaw that may lead to an unauthorized information disclosure.  The issue is triggered when an attacker makes a direct request to the misc/revisions/create.php script, which will disclose path information as well as a complete list of installed files and their hashes resulting in a loss of confidentiality.

Solution Description

Upgrade to version 2.0.7 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

phpAdsNew contains a flaw that may lead to an unauthorized information disclosure.  The issue is triggered when an attacker makes a direct request to the misc/revisions/create.php script, which will disclose path information as well as a complete list of installed files and their hashes resulting in a loss of confidentiality.

References:

Vendor URL: http://phpadsnew.com/ Vendor Specific News/Changelog Entry: http://sourceforge.net/project/shownotes.php?group_id=36679&release_id=370942 Secunia Advisory ID:17464 Related OSVDB ID: 20741 Related OSVDB ID: 20744 Related OSVDB ID: 20740 Related OSVDB ID: 20736 Related OSVDB ID: 20737 Related OSVDB ID: 20739 Related OSVDB ID: 20742 Related OSVDB ID: 20738 Related OSVDB ID: 20743 Related OSVDB ID: 20745 Other Advisory URL: http://www.fitsec.com/advisories/FS-05-01.txt Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-11/0257.html Keyword: FS-05-01 FrSIRT Advisory: ADV-2005-2380 CVE-2005-3645