[pLog-svn] [Lifetype Vulnerability] Very Serious File Disclosure Problem (read passwords/config whatever you want)
Jon Daley
plogworld at jon.limedaley.com
Tue Feb 13 22:03:02 EST 2007
Good catch Matt. As far as the server getting hosed, it is okay
(relatively so) in my case since mysql doesn't allow connections from
remote hosts. But, this is an issue particularly for hosts (that's
probably pretty much all of them) that allow remote mysql access.
I'll have to take a look at these sorts of bugs - Someone made a
pass through during 1.0.4-1.0.6 timeframe, but there are presumably other
ones like this.
On Tue, 13 Feb 2007, Matt Wood wrote:
> Dev List,
>
> There exists a very serious file disclosure vulnerability within the RSS
> engines that allows anyone to read the contents of files considered to be
> secure.
>
> I highly suggest that everyone turn off all RSS off at the moment.
>
> I also suppose you will want to let other people know, I don't really have
> the time to mess with the forums warning people.
>
> Oscar / Jon, I will contact you separately later tonight as this
> vulnerability compromises www.lifetype.net... and I don't really want our
> new server to get hosed.
>
> -Matt
>
--
Jon Daley
http://jon.limedaley.com/
And when it rains on your parade, look up rather than down.
Without the rain, there would be no rainbow.
-- Jerry Chin
More information about the pLog-svn
mailing list