Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 75545

Summary: PHP-Blogger Disclosure of Sensitive Information Security Issu
Product: Gentoo Security Reporter: Robert Muchacki (RETIRED) <muchar>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED INVALID    
Severity: normal    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://secunia.com/advisories/13665/
Whiteboard:
Package list:
Runtime testing required: ---

Description Robert Muchacki (RETIRED) gentoo-dev 2004-12-24 06:14:15 UTC
Description:
snilabs has reported a security issue in PHP-Blogger, which can be exploited by malicious people to disclose sensitive information.

The problem is that database files (.db) by default are stored inside the web root and are not correctly protected against being accessed directly on some server configurations. This can e.g. be exploited to disclose the admin password.

NOTE: Systems running Apache with support for .htaccess files are not affected by this issue.

Solution:
Configure PHP-Blogger to access database files in a directory outside the web root.

Reproducible: Always
Steps to Reproduce:
1.
2.
3.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-12-27 03:00:53 UTC
I see PHP-Blogger nowhere in the tree.