| VID |
21385 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The PHP-Fusion has a DB Backup File Disclosure Vulnerability.
PHP-Fusion is a freely available PHP-based content management system (CMS) that uses a MySQL backend database. PHP-Fusion 4.0 and possible earlier versions allow a remote attacker to access the backup database file on the remote system, caused by improper protecting direct access to the backup files in the 'fusion_admin/db_backups' directory. By sending a specially-crafted URL request for this file with knowledge of the database file name, a remote attacker could obtain unauthorized sensitive information, including user information and password hashes.
* References:
http://www.osvdb.org/displayvuln.php?osvdb_id=9032
http://securitytracker.com/alerts/2004/Aug/1010983.html
* Platforms Affected:
digitanium, PHP-Fusion 4.0 and possible prior
Any operating system Any version |
| Recommendation |
No upgrade or patch available as of October 2004.
Upgrade to the new version of PHP-Fusion, when new version fixed this problem becomes available from the PHP-Fusion Web site at http://sourceforge.net/projects/php-fusion/ |
| Related URL |
CVE-2004-1724 (CVE) |
| Related URL |
10974 (SecurityFocus) |
| Related URL |
17037 (ISS) |
|
