Sensitive Information Disclosure in Flog

Summary

Vulnerability
Sensitive Information Disclosure in Flog
Discovered
2006.01.17
Last Update
2006.01.18 Exploit fix & increase of critical level)
(Thanks to BlAcK dRanZER
ID
EV0038
CVE
CVE-2006-0352
Risk Level
medium
Type
Sensitive Information Disclosure
Status
Unpatched
Vendor
n/a
Vulnerable Software
Flog (http://www.fluffington.com)
Version
1.0.1
PoC/Exploit
Available
Solution
Not available
Discovered by
Aliaksandr Hartsuyeu (eVuln.com)

Description

Sensitive Information Disclosure found in Flog (http://www.fluffington.com) script.

Directory data isn't protected by htaccess in default installiation. This can be used to retrieve registered user's information including logins and password's md5 hashes.

PoC/Exploit

Example:

http://host/flog/data/users.0.dat

Solution.

Solution for "Sensitive Information Disclosure in Flog" is not available. Check vendor's website for updates.