75545 – PHP-Blogger Disclosure of Sensitive Information Security Issu

Bug 75545 - PHP-Blogger Disclosure of Sensitive Information Security Issu

Summary: PHP-Blogger Disclosure of Sensitive Information Security Issu

Status:	RESOLVED INVALID

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Gentoo Security

URL:	http://secunia.com/advisories/13665/
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2004-12-24 06:14 UTC by Robert Muchacki (RETIRED)
Modified:	2004-12-27 03:00 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Robert Muchacki (RETIRED) gentoo-dev

2004-12-24 06:14:15 UTC

Description:
snilabs has reported a security issue in PHP-Blogger, which can be exploited by malicious people to disclose sensitive information.

The problem is that database files (.db) by default are stored inside the web root and are not correctly protected against being accessed directly on some server configurations. This can e.g. be exploited to disclose the admin password.

NOTE: Systems running Apache with support for .htaccess files are not affected by this issue.

Solution:
Configure PHP-Blogger to access database files in a directory outside the web root.

Reproducible: Always
Steps to Reproduce:
1.
2.
3.

Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2004-12-27 03:00:53 UTC

I see PHP-Blogger nowhere in the tree.