Hosting Controller forum.mdb Remote User Credential Disclosure

2006-04-07T05:17:41
ID OSVDB:24447
Type osvdb
Reporter Syst3m_f4ult()
Modified 2006-04-07T05:17:41

Description

Vulnerability Description

Hosting Controller contains a flaw that may lead to an unauthorized information disclosure. The issue is caused due to user credentials being stored in the "forum/db/forum.mdb" database file inside the web root, which will disclose the administrator's username and password, resulting in a loss of confidentiality.

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

Hosting Controller contains a flaw that may lead to an unauthorized information disclosure. The issue is caused due to user credentials being stored in the "forum/db/forum.mdb" database file inside the web root, which will disclose the administrator's username and password, resulting in a loss of confidentiality.

Manual Testing Notes

http://[target]/forum/db/forum.mdb

References:

Vendor URL: http://hostingcontroller.com/ Secunia Advisory ID:19569 FrSIRT Advisory: ADV-2006-1268 CVE-2006-1764